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Message  from  the  Auditor  General 

What  we  do  and  why  it's  important 

After  almost  eight  years  as  the  Auditor  General  of  Alberta,  I  will  be  retiring  on 
February  15,  2010.  As  this  will  be  my  last  public  report,  1  wanted  to  take  this 
opportunity  to  say  that  it  has  been  an  honour  and  privilege  to  serve  the  members 
of  the  Legislative  Assembly,  and  through  them,  the  people  of  Alberta. 

Our  Office's  role         As  an  independent  Officer  of  the  Legislature,  my  role  has  been  to  assist  the 
Legislative  Assembly,  and  in  particular  the  Public  Accounts  Committee,  in 
holding  the  government  accountable.  Our  Office  provides  opinions  on  whether 
the  consolidated  financial  statements  of  the  province,  and  the  financial  statements 
of  every  ministry,  department,  fund  and  provincial  agency,  are  presented  fairly, 
clearly  and  completely.  Our  financial  statement  audits  often  lead  to 
recommendations  to  improve  the  financial  reports,  and  the  processes  that  produce 
them.  Another  key  part  of  our  mandate  is  to  examine  and  report  on  the 
government's  accounting  and  management  control  systems.  Through  our  systems 
audit  work,  we  identify  opportunities  and  propose  solutions  to  improve  the  use  of 
public  resources.  We  report  our  findings  and  recommendations  to  the  Legislative 
Assembly  through  our  semi-annual  public  reports. 

While  many  of  the  issues  that  our  Office  has  dealt  with  over  the  years  are 
challenging,  sensitive,  and  sometimes  contentious,  I'm  pleased  that  our  work  has 
contributed  to  positive  changes  around  important  issues  that  impact  the  lives  of 
Albertans. 

Report  Highlights 

I  have  tried  to  focus  our  priorities  and  resources  in  areas  that  result  in  improved: 

•  gov  ernance  and  ethical  behaviour — these  underpin  the  success  of  any 
organization 

•  safety  and  welfare  of  all  Albertans — especially  the  most  vulnerable  in  our 
society 

•  security  and  use  of  the  province's  resources — which  belong  to  all  Albertans 
and  must  be  protected  for  future  generations 

( food  governance         Transparency  and  informed  decision-making  are  key  elements  of  good 

governance.  In  this  report,  we  have  made  several  recommendations  that  highlight 
the  need  for  improved  governance.  In  particular,  our  recommendations  relating  to 
executive  compensation1  and  termination  payments"  all  demonstrate  how 
important  it  is  to  have  well-understood,  consistently  applied,  and  transparent 


'  Recommendation  No.  I — page  22,  Recommendation  No.  18 — page  144 
:  Recommendation  No.  27 — page  254 
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practices.  Otherwise,  it  is  difficult  for  the  government  to  hold  boards  accountable 
for  how  they  spend  public  funds. 

Our  recommendations  relating  to  food  safety3  and  commercial  vehicle  safety4 
demonstrate  the  importance  of  having  effective  systems  for  monitoring  and 
enforcing  compliance  with  regulatory  requirements.  If  compliance  is  not 
consistently  and  effectively  monitored  and  enforced,  behaviours  won't  change, 
and  public  health  and  safety  will  not  be  improved. 

In  this  report,  we  have  also  identified  cases  where  costs  are  not  clearly 
understood,  explained,  or  transparent5.  Effective  cost  planning  ensures  that 
Albertans  are  receiving  value  for  money,  and  public  resources  are  being  managed 
responsibly.  Without  being  able  to  fully  understand  or  explain  the  costs  of  a 
government  program  or  activity,  it's  difficult  to  assess  whether  the  results  are 
justified,  or  be  able  to  assess  if  steps  to  control  and  reduce  costs  are  working. 
This  is  particularly  important  for  the  Legislative  Assembly  since  they  consider 
and  approve  budgets.  The  public  also  has  a  right  to  know  how  the  government  is 
managing  its  resources,  and  what  its  strategies  are  for  determining  and 
controlling  costs. 

Acknowledgement  and  thanks 

In  closing,  I  want  to  express  my  gratitude  to  the  following  and  thank  them  for  all 
of  the  advice,  suggestions,  and  support  they  have  given  through  the  years: 

•  Members  of  the  Legislative  Assembly,  in  particular  members  of  the 
Standing  Committee  on  Public  Accounts  who,  through  their  questions  and 
suggestions,  identify  audits  that  would  help  them  do  their  work  as 
legislators. 

•  Members  of  the  public,  who  contact  us  with  concerns  about  government 
systems.  They  help  us  to  plan  the  focus  of  our  future  audit  work. 

•  Members  of  the  Provincial  Audit  Committee,  who  provide  wise  counsel. 
This  group  of  senior  business  executives  with  financial,  business  and 
governance  skills  has  an  important  advisory  role  to  government  and  our 
Office. 


3  Food  Safety — Follow-up — page  87 

4  Commercial  Vehicle  Safety — page  1 1 5 

5  Recommendation  No.  5 — page  51,  Recommendation  No.  6 — page  73 
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•  The  organizations  that  we  audit,  whose  cooperation  is  fundamental  to  our 
success.  Senior  management  and  board  members  of  audited  organizations 
meet  with  us  to  discuss  our  audit  plans,  findings,  and  recommendations. 
They  give  us  the  necessary  information,  reports,  and  explanations  to  our 
questions. 

•  Various  advisors,  who  contribute  their  expertise  to  help  us  complete  our 
major  systems  audits. 

Finally,  I  want  to  say  that  I  have  been  very  fortunate  over  these  years  to  work 
with  an  Office  full  of  talented  individuals,  whose  dedication  and  commitment  to 
improving  the  public  sector,  has  resulted  in  lasting  benefits  to  all  Albertans. 
Although  my  time  with  the  Office  is  coming  to  a  close,  I  know  that  my  staff  w  ill 
continue  to  make  a  difference  by  identifying  opportunities  to  improve 
government  programs  and  initiatives  that  affect  peoples'  lives,  and  ensuring  that 
Albertans  are  getting  good  value  for  their  money. 


Fred  J.  Dunn,  FCA 
Auditor  General 


September  25,  2009 
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Recommendation  Highlights 

This  report  contains  75  recommendations,  all  listed,  starting  at  page  7.  We  have 
numbered  35  recommendations  that  need  a  formal  response  from  the  government. 
Of  the  35  numbered  recommendations,  27  are  new,  and  the  other  8  repeat  previous 
recommendations  where  implementation  progress  was  too  slow.  By  repeating  these 
recommendations,  we  expect  the  government  to  formally  recommit  to  their 
implementation. 

Prioritizing  our  recommendations 

As  part  of  the  audit  process,  we  provide  recommendations  to  gov  ernment  in 
documents  called  management  letters.  We  use  our  public  reporting  to  bring  our 
recommendations  to  the  attention  of  Members  of  the  Legislative  Assembly  (MLAs). 
For  example,  members  of  the  all-party  Standing  Committee  on  Public  Accounts 
refer  to  the  recommendations  in  our  public  reports  during  their  meetings  with 
representatives  of  government  ministries  and  agencies. 

To  help  MLAs,  we  prioritize  recommendations  in  our  public  reports  to  indicate 
where  we  believe  they  should  focus  their  attention.  We  categorize  them  as  follows: 

•  Key  recommendations — these  are  the  numbered  recommendations  we  believe 
are  the  most  significant. 

•  Numbered  recommendations — these  recommendations  require  a  formal 
response  from  the  government.  By  implementing  these  recommendations,  the 
government  will  significantly  improve  the  safety  and  welfare  of  Albertans,  the 
security  and  use  of  the  province's  resources,  or  the  governance  and  ethics  with 
which  government  operations  are  managed. 

•  Unnumbered  recommendations — these  recommendations,  although 
important,  do  not  require  a  formal  response  from  government. 

Reporting  the  status  of  recommendations 

We  follow  up  all  recommendations  and  report  their  status  in  our  public  reports.  The 
timing  of  our  follow-up  audits  depends  on  the  nature  of  our  recommendations.  To 
encourage  timely  implementation,  and  assist  with  the  timing  of  our  follow-up 
audits,  we  require  a  reasonable  implementation  timeline  on  all  recommendations 
accepted  by  the  government  or  the  entities  we  audit.  We  recognize  some 
recommendations  will  take  longer  to  fully  implement  than  others  but  we  encourage 
full  implementation  within  three  years.  Typically,  we  do  not  report  on  the  progress 
of  an  outstanding  recommendation  until  management  has  had  sufficient  time  to 
implement  the  recommendation  and  we  have  completed  our  follow-up  audit  work. 
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The  status  of  our  recommendations  is  reported  as  follows: 

Implemented — we  briefly  explain  how  the  government  implemented  the 
recommendation. 

Repeated — we  explain  why  we  are  repeating  the  recommendation  and  what  the 
government  must  still  do  to  implement  the  recommendation. 
Progress  report — we  provide  information  when  we  consider  it  useful  for  MLAs 
to  understand  management's  actions. 

Satisfactory  progress  report — we  may  want  to  state  that  progress  is  satisfactory 
based  on  the  results  of  a  follow-up  audit. 

Changed  circumstances — if  the  recommendation  is  no  longer  valid,  we  briefly 
explain  why. 


Outstanding  recommendations 

We  have  a  chapter  called  Past  Recommendations — see  page  335.  It  provides  a 
complete  list  of  the  recommendations  that  are  not  yet  implemented.  Although 
management  may  consider  some  of  these  recommendations  implemented,  we  do  not 
remove  recommendations  from  the  list  until  we  have  been  able  to  complete 
follow-up  audit  work  to  confirm  implementation. 
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October  2009  Recommendations 

®==3cT — Indicates  a  key  recommendation 
Green  print — numbered  recommendations 
Black  print — unnumbered  recommendations 


Systems  Audits 


Public  Agencies — Executive  Compensation 

Page  23    Executive  compensation  practices — Recommendation  No.  1 

We  recommend  that  the  Deputy  Minister  of  Executive  Council,  through  the  Agency  Governance  Secretariat, 
assist  public  agencies  and  departments  by  providing  guidance  on  executive  compensation  practices  for  all 
public  agency  senior  executives. 

Page  29    Disclosure  of  termination  benefits  paid — Recommendation  No.  2 

We  recommend  that  the  Ministry  of  Treasury  Board  increase  transparency  of  termination  benefits  by 
adopting  disclosure  practices  for  Alberta  public  agencies  that  disclose  termination  benefits  paid. 

Alberta's  Response  to  Climate  Change — Part  2 

Page  40    Data  quality — Recommendation 

We  recommend  that  the  Department  of  Environment  strengthen  its  guidance  for  baseline  and  compliance 
reporting  by: 

•  clarifying  when  uncertainty  calculations  must  be  done 

•  prescribing  the  minimum  required  quality  standards  for  data  in  terms  of  minimum  required  frequency 
of  measurement  and  connection  to  the  period  being  reported  on 

•  describing  the  types  of  data  controls  that  facilities  should  hav  e  in  place 

Page  42    Guidance  to  verifiers  of  facility  baseline  and  compliance  reports — Recommendation  No.  3 

We  recommend  that  the  Department  of  Environment  strengthen  its  baseline  and  compliance  guidance  for 
verifiers  by  improving  the  description  of  the  requirements  for: 

•  the  nature  and  extent  of  testing  required 

•  the  content  of  verification  reports 

•  assurance  competencies 

Page  45    Technical  review — Recommendation 

We  recommend  that  the  Department  of  Environment  strengthen  its  technical  review  processes  by: 

•  requiring  facilities  to  provide  a  process  map  with  their  compliance  reporting  and 

•  ensuring  staff  document  their  follow-up  activity  and  decisions  in  the  Department's  regulatory  database 

Page  46    Use  of  offsets  to  meet  compliance  obligations — Recommendation  No.  4 

•  We  recommend  that  the  Department  of  Env  ironment: 

•  strengthen  its  offset  protocols  to  have  sufficient  assurance  that  offsets  used  for  compliance  are  v  alid 

•  assess  the  risk  of  offsets  applied  in  Alberta  hav  ing  been  used  elsewhere  in  the  w  orld 

Page  49    Outsourced  service  providers — Recommendation 

We  recommend  that  the  Department  of  Environment  develop  controls  to  gain  assurance  that  data  hosted  or 
processed  by  third  parties  is  complete,  accurate  and  secure. 

We  also  recommend  that  the  Department  of  Env  ironment  formalize  its  agreement  with  its  serv  ice  prov  ider 
for  the  Alberta  Emissions  Offset  Registry. 
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Page  50    Error  correction  threshold — Recommendation 

We  recommend  the  Department  of  Environment  establish  an  error  correction  threshold  that  considers  not 
only  the  percentages  of  emissions  or  production,  but  also  the  dollar  impact  on  the  Climate  Change  and 
Emissions  Management  Fund. 

Page  5 1    Cost-effectiveness  of  regulatory  processes — Recommendation  No.  5 

(0>=!ikf    We  recommend  that  the  Department  of  Environment  assess  the  cost-effectiveness  of  the  Specified  Gas 
Emitters  Regulation. 

Public  Affairs  Bureau — Media  Contracting  Services 

Page  56    PAB's  Agency  of  Record  risk  assessment — Recommendation 

We  recommend  that  the  Public  Affairs  Bureau  conduct  a  risk  assessment  of  its  Agency  of  Record  contracts 
and  develop  a  plan  to  manage  the  risks  it  identifies. 

Electronic  Health  Records 

Page  73    Oversight  and  accountability  for  electronic  health  records  (EHR) — Recommendation  No.  6 

(OH^'kf    We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services,  working  with  the 
EHR  Governance  Committee,  improve  the  oversight  of  electronic  health  record  systems  by: 

•  maintaining  an  integrated  delivery  plan  that  aligns  with  the  strategic  plan 

•  improving  systems  to  regularly  report  costs,  timelines,  progress  and  outcomes 

Page  75    Project  management — Recommendation  No.  7 

We  recommend  the  Department  of  Health  and  Wellness  execute  publicly  funded  electronic  health  record 
projects  and  initiatives  in  accordance  with  established  project  management  standards. 

Page  78    Monitoring  the  EHR — Recommendation  No.  8 

We  recommend  the  Department  of  Health  and  Wellness  proactively  monitor  access  to  the  portal  (Netcare), 
through  which  the  electronic  health  records  can  be  viewed,  reviewing  it  for  potential  attacks,  breaches  and 
system  anomalies. 

Page  80    User  access  management — Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  ensure  that  its  user  access  management  policies 
are  followed  and  that  user  access  to  health  information  is  removed  when  access  privileges  are  no  longer 
required. 

Food  Safety — Follow-up 

Page  93    Food  establishment  inspection  programs — Recommendation  No.  9 — repeated 

(SH^    We  again  recommend  that  Alberta  Health  Services  improve  their  food  establishment  inspection  programs. 
Specifically,  AHS  should: 

•  inspect  food  establishments  following  generally  accepted  inspection  frequency  standards 

•  ensure  that  inspections  are  consistently  administered  and  documented 

•  follow  up  critical  violations  promptly  to  ensure  that  food  establishments  have  corrected  those  violations 

Page  99    Food  safety  information  systems — Recommendation  No.  10 — repeated 

We  again  recommend  that  Alberta  Health  Services,  supported  by  the  Department  of  Health  and  Wellness, 
improve  their  automated  food  safety  information  systems.  This  includes: 

•  enhancing  system  management,  security,  and  access  control 

•  ensuring  data  consistency 

•  ensuring  that  service  level  agreements  are  in  place 

•  developing  reporting  capacity  for  management  and,  accountability  purposes 
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Page  107    Integrated  food  safety  planning  and  activities — Recommendation  No.  1 1  —  repeated 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Dev  elopment, 
in  cooperation  with  Alberta  Health  Services  and  federal  regulators,  improve  planning  and  coordination  of 
food  safety  activities  and  initiatives.  This  includes: 

•  improv  ing  day-to-day  coordination  of  provincial  food  safety  activities 

•  improv  ing  cooperation  and  working  relationships  among  provincial  and  federal  partners  such  as  the 
First  Nations  and  limit  Health  Branch  and  the  Canadian  Food  Inspection  Agency 

Page  I  10    Eliminating  gaps  in  food  safety  inspection  coverage — Recommendation  No.  12 — repeated 

We  again  recommend  that  Alberta  Health  Services  and  the  Departments  of  Health  and  Wellness  and 
Agriculture  and  Rural  Development,  working  with  federal  regulators,  eliminate  the  existing  gaps  in  food 
safety  coverage  in  Alberta.  Gaps  include: 

•  mobile  butchers 

•  consistently  administering  the  Meat  Facility  Standard 

•  coordinating  inspections  in  the  "non-federally  registered"  sector 

Page  113     Accountability — Recommendation  No.  13 — repeated 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development 
improve  reporting  on  food  safety  in  Alberta. 

Commercial  Vehicle  Safety 

Page  124    Inspection  tools  and  vehicle  selection — Recommendation 

We  recommend  that  the  Department  of  Transportation  improve  its  inspection  capability  by  incorporating  risk 
analysis  into  the  selection  of  vehicles  for  roadside  inspection  and  increasing  the  amount  of  information 
available  at  roadside. 

Page  127    Progressive  sanctions — Recommendation  No.  14 

We  recommend  that  the  Department  of  Transportation  strengthen  enforcement  processes  relating  to,  or 
arising  from,  roadside  inspections. 

Page  129    Analysis  and  measurement — Recommendation  No.  15 

We  recommend  that  the  Department  of  Transportation  further  dev  elop  and  improve  its  data  analysis 
practices  for  use  in  program  deliv  ery  and  performance  measure  reporting. 
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Government  of  Alberta  and  Ministry  Annual  Reports 

Page  136    Analysis  and  review  of  performance  measures — Recommendation  No.  16 

We  recommend  the  Ministry  of  Treasury  Board  work  with  Ministries  to  improve  processes  at  the  ministry 
level  relating  to  analysis  and  rev  iew  of  performance  measures.  We  also  recommend  the  Ministry  of  Treasury 
Board  establish  a  protocol  with  ministries  whereby  it  is  informed  of  proposed  changes  by  ministries  to 
performance  measures  methodology  in  a  timely  manner. 

Advanced  Education  and  Technology 
Page  142    Department  of  Advanced  Education  and  Technology — Grant  accountability — 
Recommendation  No.  17 

We  recommend  that  the  Department  of  Adv  anced  Education  and  Technology  improve  its  processes  for 
managing  conditional  grants. 

Page  144    Department  of  Advanced  Education  and  Technology — Annual  report  standards  for  post-secondary 
institutions — Recommendation 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology  improv  e  its  requirements  for 
annual  reports  from  post-secondary  institutions. 
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Page  146    University  of  Calgary — Improving  executive  compensation  processes — Recommendation  No.  18 

We  recommend  that  the  University  of  Calgary  Board  of  Governors  establish  systems  to  guide  all  aspects  of 
compensation,  including  timely  negotiation  and  completion  of  employment  contracts  for  senior  executive 
positions. 

Page  153    University  of  Calgary — Improve  payroll  controls — Recommendation — repeated 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over  payroll  functions. 

Page  155    University  of  Calgary — Improve  PeopIeSoft  security — Recommendation  No.  19 — repeated 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in  its  PeopIeSoft  system  by: 

•  finalizing  and  implementing  the  security  policy  and  security  design  document 

•  ensuring  that  user  access  privileges  are  consistent  with  the  user's  business  requirements  and  the 
security  policy. 

Page  157    University  of  Calgary — Improving  controls  over  journal  entries — Recommendation — repeated 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over  approvals  and  documentation  for 
journal  entries. 

Agriculture  and  Rural  Development 

Page  168    Agriculture  Financial  Services  Corporation — IT  risk  assessment  and  control  framework — 
Recommendation 

We  recommend  that  Agriculture  Financial  Services  Corporation: 

•  complete  an  Information  Technology  (IT)  risk  assessment  to  identify  and  rank  the  risks  within  its 
computing  environment,  linking  to  business  objectives;  and 

•  design  and  implement  IT  controls  to  mitigate  the  risks  it  identifies. 

Page  170    Agriculture  Financial  Services  Corporation — Note  payable  repurchase — Recommendation 

We  recommend  that  Agriculture  Financial  Service  Corporation  perform  an  analysis  on  debt  restructuring  to 
verify  cost  effectiveness  and  confirm  alignment  with  its  overall  cash  management  objectives. 

Page  1 70    Agriculture  Financial  Services  Corporation — Investment  portfolio  analysis — Recommendation 

We  recommend  that  Agriculture  Financial  Services  Corporation  perform  a  quarterly  review  of  the  market 
value  of  its  investment  portfolio. 

Employment  and  Immigration 

Page  1 86    Fraud  investigation  processes — Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  the  processes  of  its 
investigation  units  by: 

•  defining  clear  objectives  for  investigation  units 

•  establishing  guidelines  for  determining  when  they  should  undertake  a  fraud  investigation 

•  providing  fraud-specific  training  for  investigation  unit  staff 

Page  189    Internal  audits  and  home  visits — Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  processes  by  developing: 

•  timelines  and  strategies  to  respond  to  findings  arising  from  internal  audits 

•  a  risk-based  approach  to  augment  the  random  sample  selection  method  currently  used  for  internal 
audits  and  home  visits 

Page  191    Workers'  Compensation  Board  (WCB) — Claims  audit — Recommendation 

We  recommend  that  WCB  assess  whether  it  is  conducting  sufficient  claims  audits  each  year. 

Page  192    Workers'  Compensation  Board  (WCB) — Access  and  security  monitoring — Recommendation 

We  recommend  that  WCB  formalize  its  security  monitoring  procedures  to  ensure  that  security  threats  to 
critical  information  systems  are  detected  in  a  timely  manner. 
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Energy 

Page  195    Department  of  Energy — Bitumen  valuation  methodology  implementation — Recommendation  No.  20 

We  recommend  that  the  Department  of  Energy  improve  its  monitoring  of  the  implementation  of  the  bitumen 
valuation  methodology. 

Page  197    Department  of  Energy — Improving  processes  to  prepare  financial  information — Recommendation 

We  recommend  that  the  Department  of  Energy  improve: 

•  internal  communication  processes  between  the  Finance  branch  and  program  staff 

•  quality  control  processes  for  the  preparation  of  working  papers  and  financial  statements 

•  the  timely  completion  of  accurate  financial  Information 

Page  199    Department  of  Energy — Sustaining  the  continued  accuracy  of  the  revenue  forecast  system- 
Recommendation  No.  21 

We  recommend  that  the  Department  of  Energy  improve  the  controls  and  documentation  supporting  the 
revenue  forecast  model  to  help  ensure  the  continued  accuracy  of  the  forecast  system. 

Page  200    Department  of  Energy — Corporate  effective  royalty  rate — Recommendation  No.  22 

We  recommend  that  the  Department  of  Energy  monitor  the  impact  of  the  change  in  the  provincial  av  erage 
corporate  effective  royalty  rate  on  the  Department's  accounts  receivable  and  incentive  programs. 

Page  202    Energy  Resources  Conservation  Board — Assessing  and  improving  SAP  security  controls — 
Recommendation 

We  recommend  the  Fnergv  Resources  Conservation  Board  assess  the  adequacy  of  its  SAP  business 
application  access  and  security  controls  and  configurations  to  ensure  its  information  is  properly  protected. 

Environment 

Page  207    Financial  security  for  land  disturbances — Recommendation  No.  23 — repeated 

We  again  recommend  that  the  Department  of  Env  ironment  implement  a  system  for  obtaining  sufficient 
financial  security  to  ensure  parties  complete  the  conservation  and  reclamation  activity  that  the  Department 
regulates. 

Finance  and  Enterprise 

Page  214    Department  of  Finance — Quality  control  process  over  review  of  information  in  the  annual  report- 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  improv  e  its  quality  control  rev  iew  process 
over  the  financial  statements  information  in  the  Ministry  annual  report. 

Page  2 1 6    Department  of  Finance — Contract  agreements — Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  have  signed  contract  agreements  in  place 
before  goods  or  services  are  supplied. 

Page  22 1     Alberta  Treasury  Branches — Internal  controls — Recommendation 

We  recommend  that  the  Alberta  Treasury  Branches  Strategic  Steering  Committee  receive  the  appropriate 
assurance  from  the  project  leadership  team  that  the  organization's  control  objectives  have  been  satisfied 
before  the  user  acceptance  testing  phase  of  the  project  is  complete. 

Page  222    Alberta  Treasury  Branches — Organization-wide  information  technology  oversight — 
Recommendation  No.  24 

We  recommend  that  Alberta  Treasury  Branches  improve  the  efficiency  and  effectiveness  of  its  computing 
environment  by  developing  a  process  to  ensure  all  ATB  Business  Units  adopt  and  follow  an  organization- 
wide  Information  Technology  governance  and  control  framework. 
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Page  226    Alberta  Treasury  Branches — Process  for  confirming  compliance  with  Alberta  Finance  and  Enterprise 
guidelines — Recommendation  No.  25 — repeated 

We  again  recommend  that  Alberta  Treasury  Branches: 

•  improve  the  processes  for  confirming  its  compliance  with  Alberta  Finance  and  Enterprise's 
Outsourcing  of  Business  Activities,  Functions  and  Processes  Guideline 

•  review  and  assess  the  appropriateness  of  the  ATB  staff  responsible  for  ensuring  compliance  with 
Alberta  Finance  and  Enterprise  guidelines 

Page  227    Alberta  Treasury  Branches — Service  auditor  reports — user  control  considerations — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  its  processes  related  to  service  providers  by 
ensuring  its  business  areas: 

•  receive  service  provider  audit  reports 

•  review  service  provider  audit  reports  and  assess  the  impact  of  identified  internal  control  weaknesses 

•  put  end-user  controls  in  place  to  complement  service  provider  controls 

Page  232    Alberta  Investment  Management  Corporation  (AIMCo) — Internal  audit — Recommendation 

We  recommend  that  AIMCo  re-establish  an  Internal  Audit  group. 

Page  233    Alberta  Investment  Management  Corporation  (AIMCo) — Valuation  of  private  equity  and  hedge  fund 
investments — Recommendation  No.  26 

We  recommend  that  AIMCo  establish  a  process  to  estimate  current  market  values  for  private  and  hedge  fund 
investments. 

Page  235    Alberta  Investment  Management  Corporation  (AIMCo) — Coordination  with  the  Department  of 
Finance  and  Enterprise — Recommendation 

We  recommend  that  AIMCo  work  with  the  Department  of  Finance  and  Enterprise  to: 

•  record  all  financial  statement  accounting  adjustments  in  the  investments  general  ledger  on  a  timely 

basis 

•  coordinate  the  timing  of  private  investment  valuations  so  that  valuation  updates  to  the  investments 
general  ledger  are  entered  before  the  Department  performs  its  quarterly  write-down  analysis 

Page  236    Alberta  Investment  Management  Corporation  (AIMCo) — AIMCo  Financial  statements — 
Recommendation 

We  recommend  that  AIMCo  improve  its  processes  and  internal  controls  to  achieve  completeness,  accuracy 
and  increased  efficiency  in  financial  reporting. 

Health  and  Wellness 

Page  248    Compliance  monitoring  activities— Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  examine  and  clarify  the  role  of  its  Compliance 
Assurance  Branch  in  the  implementation  and  execution  of  infection  prevention  and  control  compliance 
monitoring  in  Alberta. 

Page  252    Accountability  for  conditional  grants — Recommendation — repeated 

We  again  recommend  that  the  Department  of  Health  and  Wellness  improve  its  control  processes  to  ensure 
accountability  for  conditional  grants. 

Page  256    Alberta  Health  Services — Executive  termination  payments — Recommendation  No.  27 

We  recommend  that  Alberta  Health  Services  establish  controls  for  executive  termination  payments  by: 

•  developing  and  implementing  appropriate  approval  and  oversight  processes 

•  clearly  defining  termination  and  post-termination  benefits  in  employment  contracts 

•  including  future  termination  benefits  in  the  salary  and  benefit  disclosure  in  the  financial  statements. 
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Page  260    Alberta  Health  Services — Supplemental  )  retirement  plans — Recommendation  No.  28 

We  recommend  that  Alberta  Health  Serv  ices  review  existing  supplementary  retirement  plans  and: 

•  understand  the  terms  and  conditions  for  each  plan 

•  develop  clear  and  consistent  policies  and  processes  for  administering  them 

•  obtain  actuarial  valuations,  using  appropriate  and  consistent  assumptions,  for  the  plans 

•  understand  the  impact  of  funding  options 

•  ensure  sufficient  funds  arc  available  to  meet  plan  obligations 

Page  262    Alberta  Health  Services — Information  technology  control  policies  and  processes — 
Recommendation  No.  29 

®==^-    We  recommend  that  Alberta  Health  Services: 

•  develop  an  information  technology  control  framework,  including  appropriate  risk  management 
processes  and  controls,  for  the  management  of  its  information  technology  resources 

•  monitor  compliance  with  security  policies,  implementing  effective  change  management  processes  and 
improving  passwords  controls 

Page  267    Alberta  Health  Services — Budget  approval — Recommendation  No.  30 

We  recommend  that  Alberta  Health  Services  prepare  an  annual  business  and  financial  plan  and  that  this  plan 
be  approved  by  its  Board. 

Page  269     Vlhcrtn  Health  Services — Capital  project  funding  and  approval — Recommendation  No.  31 

We  recommend  that  Alberta  Health  Services: 

•  obtain  appropriate  approval  from  the  Minister  of  Health  and  Wellness  and  secure  adequate  capital 
funding  before  starting  capital  projects  that  are  internally  funded  or  debt  financed 

•  ensure  budgets  include  the  estimated  future  operating  costs  associated  with  new  capital 

Page  27  1     Alberta  Health  Services — Capital  project  monitoring  systems — Recommendation  No.  32 

®=slt?    We  recommend  that  Alberta  Health  Services  improve  the  efficiency  and  effectiv  eness  of  its  financial  capital 
project  monitoring  and  reporting  systems  and  processes  by: 

•  implementing  common  systems,  policies  and  procedures  to  track  and  monitor  key  financial  information 

•  prov  iding  relevant,  timely  and  accurate  information  to  Executive  Management  and  the  Audit  and 
Finance  Committee 

Page  274    Alberta  Health  Services — Year-end  financial  reporting  processes — Recommendation 

We  recommend  that  Alberta  Health  Services  improve  its  year-end  financial  reporting  processes  by: 

•  clearly  defining  roles,  responsibilities  and  decision  making  authorities  for  financial  reporting 

•  improv  ing  processes  to  identify  and  resolv  e  key  accounting  risks  and  reporting  issues  on  a  timely  basis 

Page  277    Alberta  Health  Serv  ices — Expenditure  policies  and  approvals — Recommendation 

We  recommend  that  Alberta  Health  Services  improv  e  the  efficiency  and  effectiv  eness  of  its  expense 
approv  al  controls  bv : 

•  developing  and  implementing  a  clear  and  comprehensive  expenditure  approval  policy 

•  automating  the  expenditure  controls  within  the  purchasing  system 

Page  278    Alberta  Health  Serv  ices — Approval  of  drug  purchases — Recommendation 

We  recommend  that  Alberta  Health  Services  improve  controls  for  drug  purchases  by  ensuring  they  are 
properly  approved  and  duties  are  appropriately  segregated. 

Page  279    Alberta  Health  Services — Physician  recruitment  incentives — Recommendation 

We  recommend  that  Alberta  Health  Services  improve  controls  for  physician  recruitment  incentiv  es  by 
developing  and  implementing  a  policy  that  identifies: 

•  criteria  and  approv  als  required  for  granting  loans,  income  guarantees  and  relocation  allowances 

•  monitoring  and  collection  procedures  for  physician  loans 
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Page  280    Alberta  Health  Services — Compliance  with  investment  policy — Recommendation 

We  recommend  that  Alberta  Health  Services  communicate  its  investment  policy  to  its  asset  manager  and 
monitor  its  investment  portfolio  on  a  regular  basis  to  ensure  compliance  with  the  investment  policy. 

Housing  and  Urban  Affairs 

Page  283    Direct  rent  supplement  program  payments — Recommendation 

We  recommend  that  the  Department  of  Housing  and  Urban  Affairs  improve  its  monitoring  processes  of 
direct  rent  supplement  payments  issued  by  management  bodies,  by  requiring  periodic  reviews  of  these 
payments. 

Infrastructure 

Page  287    IT  risk — Recommendation 

We  recommend  that  the  Ministry  of  Infrastructure  develop  and  implement  an  information  technology  risk 
management  framework. 

Page  288    Password  controls — Recommendation 

We  recommend  that  the  Ministry  of  Infrastructure  improve  password  controls  or  implement  compensating 
controls  to  properly  control  access  to  applications. 

Justice  and  Attorney  General 

Page  293    Motor  vehicle  accident  program — Clarifying  collection  steps — Recommendation  No.  33 

We  recommend  that  the  Department  of  Justice  clarify  the  collection  steps  for  judgments  assigned  to  it  under 
the  Motor  Vehicle  Accident  program. 

Page  295    Access  controls — Recommendation 

We  recommend  that  the  Department  of  Justice  obtain  assurance  that  organizations  provided  access  to  the 
Justice  On-line  Information  Network  are  following  the  Department's  policies  and  procedures  for  granting 
user  access. 

Municipal  Affairs 

Page  301     Disaster  Recovery  Program — Recommendation  No.  34 

We  recommend  that  the  the  Department  of  Municipal  Affairs  improve  its  management  of  the  disaster 
recovery  program  by: 

•  setting  timelines  for  key  steps  that  must  be  performed  before  federal  government  funding  can  be 
received 

•  periodically  assessing  and  adjusting  costs  and  recovery  estimates  based  on  current  information 

Service  Alberta 

Page  31 1     Information  technology  resumption  plan — Recommendation  No.  35 

We  recommend  that  the  Ministry  of  Service  Alberta  complete  and  test  an  information  technology  resumption 
plan. 

Page  312    Payroll  review  processes — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  improve  its  process  to  provide  timely  supporting 
documentation  on  payroll  information  that  it  maintains  for  itself  and  its  client  ministries. 
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Sustainable  Resource  Development 

Page  323    IT  control  framework — Recommendation 

We  recommend  the  Department  of  Sustainable  Resource  Development  improv  e  policies  and  processes  in  its 
information  technology  control  environment. 

Transportation 

Page  329    IT  risk  assessment — Recommendation 

We  recommend  that  the  Department  of  Transportation  dev  elop  and  implement  an  Information  Technology 
risk  assessment  framework. 
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Public  Agencies — Executive 
Compensation 

1.  Summary 

What  we  did 

We  brought  together  examples  of  executive  compensation  practices  in  Alberta's 
public  agencies'  to  illustrate  areas  where  public  agencies  can  improve  their 
practices  and  transparency.  We  identified  the  examples  through  our  2008  and 
2009  audits  of  public  agencies,  and  this  work  consolidates  the  examples  into 
one  place.  These  areas  of  improvement  expand  on  those  matters  identified  in 
our  2008  audit  of  Chief  Executive  Officer  selection,  evaluation  and 
compensation. 

Boards  of  directors  have  expressed  to  us  that  government-wide  guidance  on 
executive  compensation  practices  would  be  useful.  We  believe  public  agencies 
can  learn  from  the  experiences  of  others. 

What  we  found 

We  found  that  Alberta  public  agencies  do  not  follow  consistent  executive 
compensation  practices  and  do  not  always  meet  good  practices.  Public  agencies 
should  follow  prudent  practices  based  on  established  principles  that  are 
generally  accepted,  well  understood  and  transparent.  In  the  absence  of  clear 
guidance  from  government,  public  agencies  will  continue  to  develop  their  own 
executive  compensation  practices. 

Alberta  public  agencies  do  not  consistently  disclose  termination  benefits  paid  to 
senior  executives. 

What  needs  to  be  done 

The  government  needs  to  provide  public  agency  boards  of  directors  with 
adequate  and  appropriate  guidance  on  executive  compensation  governance.  The 
government  needs  to  assess  how  Alberta's  public  agencies  would  benefit  from 
the  private  sector's  approach  to  executive  compensation  governance  and 
disclosure.  While  not  all  private  sector  practices  apply  to  the  public  sector, 
many  of  the  principles,  if  adopted,  would  improve  the  governance  and 
transparency  of  executive  compensation  in  public  agencies. 


Examples 
illustrate  need  for 
improvement 


Public  ageneies  do 
not  always  meet 
good  practices 


Termination 
benefits  arc  not 
consistently 
disclosed 

Government 
guidance  would 
help  hoards 


'  For  the  purposes  of  this  report,  public  agencies  are  as  defined  in  the  Alberta  Public  Agencies  Governance  Act  (Bill  32). 
which  received  Royal  Assent  on  June  4.  2009,  but  has  not  yet  been  proclaimed  in  force. 
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Guidance  that  is 
acted  on  will 
improve  systems 


Clear  guidance  from  the  government  to  public  agencies  on  executive 
compensation  practices  will  help: 

•  establish  generally  accepted  and  well-understood  executive  compensation 
practices  that  improve  the  transparency  of  Alberta  public  agencies 

•  increase  efficiency  as  public  agency  boards  of  directors  use  this  guidance 
to  develop  a  deeper  understanding  of  current  compensation  practices  and 
evaluate  and  improve  their  current  practices 


Disclosure  needed 


Public  agencies  need  to  consistently  disclose  termination  benefits  paid. 


Transparency 
makes  boards 
more  accountable 


Why  this  is  important  to  Albertans 

Value  for  money,  in  the  context  of  public  agencies'  executive  compensation, 
means  executives  should  be  compensated  for  their  performance  and 
achievement  of  public  agency  and  government  objectives.  Without 
well-understood,  consistently  applied  and  transparent  executive  compensation 
systems,  it  is  more  difficult  for  Albertans  to  hold  public  agency  boards  of 
directors  accountable  for  their  decisions. 


A  well-designed  executive  compensation  process  will  ensure  that: 

•  boards  of  directors  understand  what  they  are  trying  to  achieve  through  the 
compensation  plan 

•  boards  of  directors  understand  the  value  of  the  entire  compensation 
package — Compensation  programs  generally  have  many  components 
(salary,  short-  and  long-term  performance  pay,  post-retirement  benefits, 
and  more)  that  boards  need  to  consider  together  when  evaluating  the 
appropriateness  of  the  compensation  package 

•  Albertans  understand  how  the  public  sector  compensates  executives 

The  absence  of  boundaries  or  limits  on  compensation  for  public  agency 
executives  makes  it  more  important  that  public  agencies  follow  a  well-defined 
and  transparent  executive  compensation  system. 

2.  Scope  of  our  work 

We  are  not  providing  an  opinion  on  the  appropriateness  or  fairness  of  Alberta 
public  agencies'  executive  compensation  decisions.  In  this  work,  we  examined 
the  underlying  executive  compensation  and  disclosure  practices  of  the  boards  of 
directors  that  govern  public  agencies. 

Designing  an  executive  compensation  package  is  complex  and  Alberta  public 
agencies  follow  various  systems  to  reach  their  decisions.  However,  public 
agencies'  boards  of  directors  can  use  our  observations  and  conclusions  to 
improve  their  executive  compensation  systems. 


Absence  of  limits 
makes 

transparency  more 
important 


Report  of  the  Auditor  General  of  Alberta 


October  2009 


Cross-Ministry 


Public  Agencies — Executive  Compensation 


Compensation 
used  to  attract, 
retain  and 
motivate 


Boards  govern 
public  agencies 


Boards  are  not 
required  to  follow 
public  service 
practices 


Government 
guidance  must 
respect  board 
autonomy 


Components  of 
compensation 


Our  objective  was  to  identify  areas  where  improvements  can  be  made.  We  have 
not  evaluated  all  public  agencies'  executive  compensation  systems  and 
packages.  Therefore,  we  have  only  named  public  agencies  in  this  report  when 
we  have  already  identified  the  agency  by  name  elsewhere  in  our  public  reports. 

3.  Background 

Alberta  public  agencies  use  compensation  packages  as  a  means  to  attract,  retain 
and  motivate  public  agency  executives.  For  Albertans  to  ensure  they  are  getting 
value  for  money,  compensation  should  result  from  a  well-designed  process  to 
pay  executives  fairly  for  the  performance  expected  and  delivered. 

In  a  public  agency  corporate  governance  model,  public  agencies  receive  their 
authority  through  legislation  and  operate  at  arm's  length  from  the  government. 
The  government  appoints  a  board  of  directors  to  govern  the  organization.  The 
board  oversees  management,  sets  strategic  direction  and  monitors  performance. 
The  board  also  establishes  its  own  compensation  programs  and  policies.  Boards 
are  accountable  to  ministers.  This  governance  model  attempts  to  balance  a 
public  agency's  autonomy  and  the  government's  accountability. 

Most  board-governed  Alberta  public  agencies  have  more  freedom  than  Alberta 
government  departments  to  determine  how  they  compensate  executives.  Public 
agency  boards  are  generally  not  required  to  follow  the  Public  Service  Act  or 
public  service  policies. 

The  government  has  a  role  to  play  in  providing  guidance  to  public  agencies  on 
executive  compensation  practices.  This  guidance  needs  to  balance  a  public 
agency  board's  autonomy  with  appropriate  government  oversight.  Public 
agencies  must  also  balance  the  need  to  attract  and  retain  executive  talent  with 
the  cost  to  the  public  sector. 

Public  agency  executive  compensation  packages  include  salary,  performance 
pay,  post-retirement  benefits,  and  other  benefits  such  as  disability  insurance,  life 
insurance,  health  and  dental  plans,  and  termination  benefits.  Certain  public 
agencies  provide  vehicles,  perquisites  (such  as  membership  fees,  car 
allowances,  and  others)  and  low  interest  loans. 


2  R.S.A.  2000,  c.P-40 
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Public  agency  executive  compensation  systems  are  not  all  the  same.  Systems 
vary  depending  on  the  type  of  public  agency  and  the  level  of  the  executive.  For 
example,  boards  of  directors  can  establish  chief  executive  officer  (CEO) 
compensation  through  three  different  models,  depending  upon  the  public 
agency: 

•  Compensation  arrangements  and  employment  contracts  are  negotiated 
between  the  CEO  and  the  public  agencies'  board. 

•  The  salaries  of  the  CEO  and  senior  officials  are  established  by 
Order-in-Council,  but  the  board  and  the  CEO  negotiate  the  remainder  of  the 
compensation  plan. 

•  Government  departments  establish  compensation  for  public  agency 
executives  who  are  essentially  department  employees.  These  employees 
typically  follow  a  government  salary  grid  and  public  service  pension  and 
benefit  plans. 

For  the  compensation  of  other  executives,  public  agency  boards  of  directors 
have  administrative  responsibility  for  establishing  the  compensation 
arrangement.  These  boards  may  delegate  their  authority  to  a  compensation  or 
human  resource  committee  or  to  the  organization's  CEO. 

4.  Recommendations 

In  our  October  2008  Report  (No.  1 — page  27),  we  recommended  that  the 
Deputy  Minister  of  Executive  Council  through  the  Agency  Governance 
Secretariat  assist  agencies  and  departments  by  providing  guidance  in  the  areas 
of  CEO  selection,  evaluation  and  compensation. 

The  government  accepted  our  recommendation  in  principle.  It  asked  the 
Secretariat  to  collaborate  with  Treasury  Board  and  Corporate  Human  Resources 
to  provide  consistent  information  and  guidance  on  good  practices  in  these  areas. 
The  government's  work  plan  to  implement  this  recommendation  is  to  be 
completed  by  the  end  of  the  2009-2010  fiscal  year. 

In  our  opinion,  the  government's  guidance  for  public  agency  boards  of  directors 
on  compensation  practices  should  focus  on  all  public  agency  executives — not 
just  CEOs.  Therefore,  our  new  recommendation  to  the  Deputy  Minister  of 
Executive  Council  broadens  our  2008  recommendation  to  include  all  senior 
executives  in  public  agency  senior  decision  making  group. 


Not  all 

compensation 
systems  are  the 
same 
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4.1  Executive  compensation  practices 
Recommendation  No.  1 
®«5         We  recommend  that  the  Deputy  Minister  of  Executive  Council,  through 
the  Agency  Governance  Secretariat,  assist  public  agencies  and 
departments  by  providing  guidance  on  executive  compensation  practices 
for  all  public  agency  senior  executives. 


Role  of  the 
Secretariat 


Guidance  has  not 
been  provided 


Background 

The  government  established  the  Agency  Governance  Secretariat  to  help  public 
agencies  implement  the  Public  Agencies  Governance  Framework  and  provide 
them  with  support  on  governance-related  matters.  The  government  developed 
the  Framework  in  response  to  recommendations  from  a  task  force  that  in  2007 
reviewed  the  governance  of  Alberta  public  agencies.  We  support  the  Secretariat 
in  its  role  of  helping  public  agencies  improve  governance  practices,  including 
executive  compensation  governance  practices. 

Criteria:  the  standards  we  used  for  our  audit 

The  government  should  provide  public  agencies  with  adequate  and  appropriate 
guidance  on  executive  compensation  practices. 

Observations  on  public  agency  executive  compensation  practices 

The  government  has  not  formally  provided  public  agencies  with  guidance  on 
executive  compensation  practices.  In  our  opinion,  public  agency  boards  of 
directors  would  benefit  from  the  government's  guidance. 


Areas  where 
impro\  ements  can 
be  made 


Current  practices 


Boards  need  clear 
policies  and 
compensation 
processes 


We  identified  the  following  areas  where  executive  compensation  practices  can 
be  improved: 

•  executive  compensation  systems  and  board  compensation  committees 

•  termination  benefits — these  are  amounts  due  to  an  executive  when  they 
stop  working  for  the  public  agency 

•  supplementary  retirement  plans 

•  performance  pay  (variable  pay,  bonuses,  or  pay-at-risk) 

•  board  oversight  of  executive  compensation  arrangements 

We  identify  in  an  Appendix,  (see  page  31)  current  practices  to  help  boards  of 
directors  evaluate  their  current  practices  and  determine  if  improvements  are 
necessary. 

Executive  compensation  systems  and  board  compensation  committees 

Our  October  2008  Report  recommends  a  number  of  compensation  practices  for 
public  agency  boards  of  directors.  The  areas  identified  where  improvements 
can  be  made  were: 

•  use  of  formal  compensation  policies 
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•  use  of  peer  group  comparisons  to  establish  target  compensation 

•  ensuring  the  peer  comparator  group  is  sufficiently  broad  and  of  sufficient 

size 

•  use  of  external  advisors  and  assessment  if  conflicts  of  interest  exist 

•  variable  pay  (performance  pay) 

•  severance  provisions  (termination  benefits) 

•  supplementary  retirement  plans 

While  the  issues  identified  in  2008  relate  to  CEO  compensation,  we  believe  our 
observations  apply  to  all  public  agency  senior  executive  compensation 
arrangements  that  are  the  result  of  similar  systems. 

Termination  benefits 

Termination  benefits  at  Alberta  public  agencies  are  not  consistent  among  public 
agencies  or  with  the  government's  practices  for  public  service  employees.  The 
Government  of  Alberta's  Treasury  Board  provides  direction  for  the  termination 
and  release  of  deputy  ministers  and  senior  officials.3  Public  agencies  are  not 
required  to  follow  this  directive,  other  than  for  some  identified  senior  officials. 
Instead,  each  public  agency  develops  its  own  termination  policies  and  practices. 
This  typically  results  in  higher  termination  benefits  than  would  have  been  paid 
if  the  public  agencies  had  followed  Treasury  Board's  directive. 

Specifically,  public  agencies'  termination  practices  included: 

•  notice  periods  ranging  from  18  to  33  months  for  health  sector  CEOs  and 
from  six  to  24  months  for  other  health  sector  executives 

•  paying  outplacement  and  legal  costs  for  some  terminated  executives 

•  paying  performance  bonuses  for  periods  after  the  executive  had  been 
terminated 

•  paying  supplementary  retirement  plan  (SRP)4  benefits  during  the  notice 
period,  at  costs  ranging  from  $20,000  to  $300,000 

•  paying  replacement  costs  of  life  insurance,  medical  and  dental  coverage  for 
a  terminated  executive 

•  allowing  continued  earning  of  pensionable  years  of  service  for  an 
executive  who  had  been  terminated 

•  not  having  clearly  defined  termination  benefits  in  employment  contracts 


1  Treasury  Board  Directive  01-96  -  Termination  and  Release  of  Deputy  Ministers  and  Other  Senior  Officials  -  The  Deputy 
Head  of  Executive  Council  may  approve  severance  up  to  the  equivalent  of  52  weeks  of  salary  plus  an  additional  amount  in 
lieu  of  benefits  for  senior  officials  and  deputy  heads.  The  directive  goes  on  to  state  that  if  this  individual  becomes  employed 
or  is  retained  by  fee-for-service  contract  during  the  severance  period  by  a  department  or  agency  the  individual  will  reimburse 
a  pro-rated  portion  of  their  termination  pay  to  the  employer. 

4  SRPs  are  designed  to  provide  retirement  benefits  similar  to  those  offered  under  registered  pension  plans,  but  without  the 
same  contribution  limits.  Employers  use  them  to  increase  the  retirement  compensation  of  higher  income  executives  and 
employees. 
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Release  agreement 
provisions  were 
not  consistent 


Deferred  salary  is 
not  disclosed 


B.C.  government 
has  dealt  with  the 


issue 


Guidance  on  the 
use  of  SRPs  not 
provided 


In  2008,  SRP 
obligations  were 
over  $47  million 


Various  terms  and 
benefits  provided 


Release  agreements  signed  by  the  terminated  executives  were  also  inconsistent. 
Some  agreements  included  non-compete  arrangements  while  others  used 
different  provisions  or  had  them  removed.  Provisions  similar  to  the  Treasury 
Board  Directive  that  would  prevent  "double  dipping10  by  terminated  executives 
were  not  included  in  all  release  agreements.  These  provisions  require  an 
executive  to  reimburse  termination  benefits  for  the  time  their  new  employment 
overlaps  with  the  severance  period. 

In  our  October  2008  Report,  we  also  identified  employment  contracts  that 
entitled  executives  to  payments  upon  voluntary  termination  (resignation  or 
retirement).  This  is  deferred  salary  rather  than  severance.  These  entitlements, 
their  existence  and  amounts,  were  not  publicly  disclosed. 

The  British  Columbia  public  sector  dealt  with  termination  standards  through  its 
Public  Sector  Employers  Act6.  Its  termination  standards  apply  to  government 
and  public  agency  employees  and  bring  consistency  to  British  Columbia's 
termination  benefits  to  senior  public  sector  employees.  In  Alberta,  there  is  no 
similar  standard  for  public  agencies. 

Supplementary  Retirement  Plans 

The  government  has  not  provided  adequate  and  appropriate  guidance  to  public 
agencies  on  their  use  of  supplementary  retirement  plans.  We  continue  to  see 
public  agencies  entering  into  various  plan  designs  and  unique  post-retirement 
arrangements.  The  government  has  a  role  to  play  in  providing  guidance  on 
SRPs  because,  in  most  cases,  it  ultimately  funds  these  future  obligations. 

Public  agencies'  obligations  for  SRPs  at  the  end  of  2005-2006  were 
$36.3  million;  their  assets  for  these  plans  were  only  $4.9  million.  Public 
agencies'  obligations  for  SRPs  grew  to  $47.9  million  by  the  end  of  2007-2008, 
at  which  time  their  assets  were  only  $7.5  million.7 

Our  2008-2009  review  of  public  agency  SRPs  identified  various  terms  and 
plan  designs.  Each  term  and  plan  design  has  an  associated  public  cost. 
Specifically,  we  identified  the  following  costs: 

•     contributions—Most  plans  did  not  require  employee  contributions,  which 
means  the  taxpayer  pays  the  full  cost.  In  contrast,  the  government's  public 
service  SRP  requires  substantial  employee  contributions. 


5  Double  dipping  is  a  term  used  to  describe  an  executive  who  receives  severance  for  a  notice  period,  but  during  that  period 
yams  employment  in  or  accepts  a  fee-for-services  contract  with  the  public  sector. 
h  [RSBC  1996]  Chapter  384 

7  Since  2005-2006,  public  agencies  may  have  created  other  SRPs.  but  we  exclude  the  impact  of  these  plans  from  the  numbers 
above  to  allow  for  comparability  between  2005-2006  and  2007  2008.  These  numbers  also  exclude  SRPs  in  school  boards. 
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Some  executives 
received  benefits 
for  years  of 
service  they  did 
not  provide  to  that 
employer 


•  pensionable  earnings— Some  public  agencies'  SRPs  included  the  full 
amount  of  performance  bonuses  as  pensionable  earnings;  others  included 
performance  bonuses  of  up  to  20%  of  base  salary  as  pensionable  earning 
in  contrast,  the  public  service  SRP  does  not  consider  lump  sum  payments 
such  as  performance  pay  to  be  pensionable  earnings.  There  is  a  significant 
cost  associated  with  including  one-time  performance  bonuses  in 
pensionable  earnings. 

•  crediting  prior  years  of  service— Public  agencies  credited  senior  officials 
with  years  of  pensionable  service  for  years  they  did  not  work  for  the 
organization.  In  the  health  sector,  for  example,  one  board  credited  its  CEO 
with  28.6  years  of  service  even  though  the  CEO  had  only  worked  at  the 
region  for  8.8  years.  There  are  other  examples  where  boards  credited 
former  health  and  university  executives  with  additional  years  of  service  for 
years  they  did  not  work  for  the  organizations. 

•  retirement  benefits— Some  plans  were  based  on  1 .75%  per  year  of  the 
highest  five  consecutive  years  of  earnings,  while  others  were  based  on 
2%  per  year.  One  arrangement  provided  for  retirement  benefits  to  be  paid 
at  5%  per  year  of  the  executive's  annual  salary. 

•  unreduced  retirement  date— The  earliest  unreduced  retirement  date  on 
SRPs  varied.  We  saw  plans  using  60  years  of  age,  65  years,  the  earlier  of 
60  years  or  85  points,  and  the  earlier  of  65  years  or  85  points.  The  85 
points  are  reached  when  someone's  age  and  pensionable  years  of  service 
add  up  to  85. 

indexing— Indexing  links  pension  payments  with  the  Alberta  consumer 
price  index  (CPI).  Some  plans  had  indexing  at  60%  of  changes  in  Alberta 
CPI.  Others  had  ad  hoc  indexing  or  no  indexing  at  all. 

•  benefit  payment  periods— Benefit  payment  periods  varied  among  SRPs. 
Most  plans  paid  benefits  for  the  executive's  lifetime.  Others  were  restricted 
to  fixed  periods  of  time  (for  example,  10  years). 

•  earning  years  of  service  after  termination— In  one  termination  agreement, 
Alberta  Health  Services  agreed  that  a  CEO  would  be  eligible  for  two 
additional  years  of  pensionable  service  after  termination. 

In  our  2005-2006  Annua/  Report  (vol.  2— page  97),  we  recommended  that  the 
Department  of  Finance  assess  the  annual  and  cumulative  costs  and  risks 
associated  with  SRPs.  See  page  2 1 9  for  our  follow-up  audit  of  this 
recommendation. 
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Some  boards 
established 
performance 
measures;  others 
did  not 


ATB  Board 
judgment 


Not  applying 
vesting  periods 
reduces 

effectiveness  of 

long-term 

compensation 


Performance  pay  (bonuses) 

In  our  October  2008  Report,  we  stated  that  the  use  of  performance  pay  (also 
called  variable  pay,  bonuses,  or  pay-at-risk)  for  CEOs  of  public  agencies  varied 
significantly.  Certain  public  agency  boards  of  directors  used  established 
performance  measures  as  the  basis  for  performance  pay.  Others  did  not  use 
objective  criteria,  resulting  in  amounts  that  w  ere  either  automatic  or  arbitrary. 

Well-designed  public  agency  performance  pay  programs: 

•  align  organizational  goals  with  employee  performance 

•  recognize  measurable  change 

•  align  pay  with  the  achievement  of  results 

•  help  organizations  attract,  retain  and  motivate  key  individuals 

In  our  October  2008  Report  (page  126),  we  reported  that  the  Board  of  ATB 
Financial  approved  executive  performance  pay  for  2007-2008.  despite  its 
policy  that  it  would  not  pay  a  performance  bonus  if  ATB's  net  income  was 
below  50%  of  the  budgeted  target.  We  reported  that  in  the  Board's  judgment 
this  was  the  right  decision. 

In  our  opinion,  if  organizations  need  to  change  the  performance  targets  after  the 
start  of  the  performance  period,  it  generally  indicates  that  there  was  a  flaw  in 
the  original  design  of  the  performance  pay  program. 

We  saw  long-term  incentive  plans  being  used  by  a  few  Alberta  public  agencies. 
In  these  long-term  incentive  plans,  the  board  awards  annual  grants  to  eligible 
executives.  The  plans  have  a  vesting  period  during  which  the  grant  will  not  be 
paid  to  the  executive.  During  the  vesting  period,  the  grant's  original  value  will 
increase  or  decrease  over  a  set  period  (usually  three  or  four  years)  based  on 
performance  criteria.  We  observed  that  one  organization  ignored  the  vesting 
period  restriction  when  executives  left.  This  reduces  the  effectiveness  of  a 
long-term  compensation  plan,  because  it  does  not  consider  the  plan's  long-term 
time  horizon  or  the  results  of  strategic  decisions  made  by  those  executives. 

In  2008-2009,  the  CEO  of  the  Capital  Health  Region  approved  retention 
bonuses  of  $20,0008  each  to  15  executives.  Their  documentation  stated  that  if 
the  executives  left  the  organization  before  March  3 1 ,  2009,  the  retention 
bonuses  would  be  recovered  on  a  pro-rata  basis.  Eight  executives  were 
terminated  before  March  3 1 ,  2009,  and  these  amounts  were  not  recovered  on 
termination.  Capital  Health's  Human  Resource  Department  advised  us  that  the 
retention  payment  would  have  only  been  recovered  if  the  employee  had 
voluntarily  quit.  But  this  was  not  clear  in  the  documentation. 


See  page  259  of  this  report. 
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We  saw  examples  of  boards  awarding  performance  pay  to  terminated 
executives,  including  the  following: 

•  terminated  executives  received  performance  pay  for  a  period  of  time  in 
2008-2009  before  termination,  but  it  was  not  clearly  documented  what 
results  they  achieved  during  this  period 

•  an  executive  received  a  performance  payment  for  the  three-month  period 
after  the  termination  date 

•  executive  severance  payments  were  paid  to  four  individuals  that  included 
performance  payments  for  notice  periods  that  ranged  from  9  to  1 8  months 


U  of  C's  board 
lacks  clear 
processes  for 
negotiating  CEO 
compensation 


Board  oversight  of  executive  compensation  arrangements 

On  page  146,  we  recommend  that  the  University  of  Calgary's  Board  of 
Governors  establish  systems  and  processes  to  guide  all  aspects  of 
compensation,  including  the  timely  negotiation  and  completion  of  pension  and 
employment  contract  arrangements  for  senior  executive  positions. 


Compensation 
policy  not 
formalized 

Financial  impacts 
not  assessed 


As  part  of  that  audit  we  found: 

•  The  University's  compensation  committee  had  no  formal  compensation 
policy  to  guide  the  Board's  contract  negotiations  with  executives 

•  The  University  did  not  have  a  well-defined  process  to: 

•  assess  the  financial  impact  and  related  obligation  to  the  University  for 
terms  negotiated  in  executive  employment  contracts 

•  communicate  key  information  to  the  University  Administration  and 
ensure  contracts  are  completed  in  a  timely  manner 


On  page  256,  we  report  that  Alberta  Health  Services  lacked  severance  policies 
and  board-  and  management-oversight  of  the  executive  severance  process. 
Severance  policies  and  a  clearly  defined  process  that  included  roles  and 
responsibilities  for  negotiating,  reviewing,  approving  and  paying  severances  did 
not  exist. 

Implication  and  risks  if  recommendation  not  implemented 

If  compensation  practices  are  not  well  designed,  public  agencies'  boards  of 
directors  may: 

•  be  unable  to  recruit  and  retain  talented  executives 

•  be  unable  to  motivate  executives  to  achieve  the  results  expected  of  them 

•  pay  for  performance  that  does  not  meet  established  expectations 

•  approve  benefits  without  understanding  the  full  cost  of  those  benefits 
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4.2  Disclosure  of  termination  benefits  paid 
Recommendation  No.  2 

We  recommend  that  the  Ministry  of  Treasury  Board  increase 
transparency  of  termination  benefits  by  adopting  disclosure  practices  for 
Alberta  public  agencies  that  disclose  termination  benefits  paid. 

Background 

The  current  Treasury  Board  Salary  and  Benefits  Disclosure  Directive*  requires 
all  departments,  regulated  funds,  provincial  agencies  and  Crown-controlled 
organizations  to  include  salary  and  benefit  information  in  their  financial 
statements.  Our  October  2008  Report  recommendation  (No.  3 — page  32) 
focused  on  applying  the  private  sector's  requirements  for  compensation 
disclosure  to  the  Alberta  public  sector.  The  Ministry  of  Treasury  Board  has  this 
recommendation  under  review.  Our  current  recommendation  focuses  on 
termination  benefits,  which  are  one  piece  of  compensation  disclosure. 

Criteria:  the  standards  we  used  for  our  audit 

There  should  be  transparent  and  full  disclosure  of  executive  compensation 
throughout  Alberta  public  agencies. 


Public  agencies  do 
not  consistently 
disclose 
termination 
benefits 


Transparency 
needed  to  help 
Albertans  hold 
public  agencies 
accountable 


Some  good 
examples  do  exist 


Our  audit  findings 

Alberta  public  agencies  do  not  consistently  publicly  disclose  executive 
termination  benefits.  The  current  Treasury  Board  Salary  and  Benefits 
Disclosure  Directive  requires  disclosure  of  salary,  lump  sum  payments, 
performance  pay,  payouts  of  accumulated  vacation  and  benefits,  but  not  of 
termination  benefit  payments. 

We  observed  examples  at  public  agencies  of  termination  benefit  payments 
ranging  from  $195,000  to  $825,000  that  were  not  publicly  disclosed.  These 
examples  are  not  a  complete  list  of  all  public  agencies'  executive  termination 
payments.  However,  they  provide  context  for  the  significant  cost  of  termination 
benefits.  The  payments  we  observed  were  in  accordance  with  employment 
contracts.  Our  concern  is  that  termination  benefits  are  not  transparent.  In  our 
opinion,  Albertans'  ability  to  hold  organizations  accountable  for  their  decisions 
is  reduced  when  termination  benefits  are  not  clearly  disclosed. 

We  also  found  good  examples  of  organizations  that  disclosed  termination 
benefit  payments: 

•     In  the  health  sector,  the  Regional  Health  Authorities  (Ministerial) 

Regulation0  section  9  and  the  Financial  Directive  34  (Requirements  for 


9  Directive  #12 -98 

10  Alta.  Reg.  17/95 
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Financial  Statements  and  Supplementary  Schedules)  required  health 
regions  and  boards  to  disclose  direct  or  indirect  termination  benefit 
payments  to  individuals  by  including  these  payments  in  the  salary  and 
benefit  schedule. 

The  March  31,  2009  financial  statements  of  one  public  agency,  disclosed 
that  a  former  executive  would  receive  a  retirement  allowance  of 
approximately  $  1 .2  million  and  an  employment  agreement  payout  of 
$960,000. 


Disclosure 
requirements  in 
the  private  sector 
are  greater  than  in 
public  agencies 


B.C.  termination 
benefits  are 
disclosed 


Executive 
contracts  typically 
include  these 
benefits 


Good  compensation  disclosure  practices  in  the  private-sector  are  published  by 
the  Institute  of  Corporate  Directors  (ICD)11  and  the  Canadian  Coalition  for 
Good  Governance.12  Both  organizations  advocate  the  full  disclosure  of 
compensation  arrangements,  including  termination  benefits.  The  Canadian 
Securities  Administrators  require  publicly  listed  entities  in  Canada  to  disclose 
termination  benefits.13  Although  Alberta's  public  agencies  are  not  subject  to 
these  disclosure  requirements,  in  our  opinion,  adopting  these  principles  would 
strengthen  transparency  of  and  accountability  for  termination  benefits. 

In  the  public  sector,  British  Columbia's  executive  compensation  disclosure 
practices  follow  its  Public  Sector  Executive  Compensation  Reporting 
Guidelines  (June  1,  2008),  which  require  a  Statement  of  Executive 
Compensation.  This  statement  includes  termination  benefits. 

In  our  audit  of  CEO  selection,  evaluation  and  compensation,  we  identified  that 
termination  benefits  were  generally  included  in  most  Alberta  public  agencies' 
contracts  with  CEOs.  We  have  not  examined  all  public  agencies'  executive 
contracts,  but  would  expect  to  find  that  most  include  termination  provisions. 

Implication  and  risks  if  recommendation  not  implemented 

Alberta  public  agencies  will  not  be  transparent  and  fully  accountable  to 
Albertans  if  they  do  not  consistently  disclose  termination  benefits  paid. 


11  ICD  Blue  Ribbon  Commission  on  the  Governance  of  Executive  Compensation  in  Canada  (June  2007) 

12  Good  Governance  Guidelines  for  Principled  Executive  Compensation  working  paper  (June  2006) 

13  National  Instrument  form  51-1 02F6  Statement  of  Executive  Compensation 

Report  of  the  Auditor  General  of  Alberta 
1  October  2009 


Cross-Ministry 


Public  Agencies — Executive  Compensation 
Current  Practices  for  Boards  of  Directors— Appendix 


Current  Practices  for  Boards  of  Directors- 
Appendix 

To  help  public  agency  boards  of  directors,  we  have  identified  a  number  of  current 
practices  based  on  our  observations.  These  are  consistent  with  good  executive 
compensation  practices  suggested  by  the  Institute  of  Corporate  Directors  and  the 
Canadian  Coalition  for  Good  Governance. 

These  current  practices  are  not  presented  as  recommendations  since  the  Office  of 
the  Auditor  General  does  not  expect  a  formal  response  to  them  from  government. 
However,  public  agencies  should  decide  if  their  compensation  systems  for  senior 
executives  could  be  improved  by  examining: 

•  their  existing  executive  compensation  practices 

•  the  current  practices  below 

•  the  recommended  practices  on  CEO  compensation  reported  in  our 
October  2008  Report  (pages  41  to  48) 

Boards  of  directors  should: 

•  ensure  compensation  policies  exist  and  are  followed— procedures  should  also 
exist  that  assign  roles  and  responsibilities  for  determining  senior  executive 
compensation,  and  identify  critical  factors  to  consider  and  information  required 

•  ensure  executive  compensation  plans  exist  and  include  all  elements  of 
compensation — these  plans  should  be  approved,  documented  and  regularly 
reviewed 

•  understand  the  full  financial  impact  and  cost  to  the  organization  of  the  entire 
compensation  arrangement 

•  develop  executive  termination  guidelines  that  are  reasonable  and  consistent 
their  guidelines  should  reflect  common  law  standards 

•  understand  the  total  cost  of  supplemental  retirement  plans— any  unique 
elements  of  a  plan's  design  needs  to  be  carefully  assessed  and  the  full  cost  of 
these  elements  understood 

•  ensure  performance  pay  plans  (if  used): 

•     identify  and  articulate  the  purpose  of  the  plan 

include  an  objective  and  measurable  methodology  for  setting  performance 
targets  and  payout  amounts 

contain  targets  that  are  challenging  and  represent  real,  measurable  change 
are  paid  only  when  executives  have  met  performance  criteria — boards 
should  base  performance  pay  on  results  and  stick  with  their  methodologies 
whether  the  results  are  positive  or  negative 
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Recruiting,  Evaluating  and  Training 
Boards  of  Directors — Follow-up 

Background 

In  our  2004-2005  Annual  Report  of  the  Auditor  General  of  Alberta,  w  e 
recommended  that: 

•  the  Deputy  Minister  of  Executive  Council  update  Alberta  public  sector 
principles  and  guidance  so  that  they  are  consistent  with  current  good  practices 
for  recruiting,  evaluating  and  training  directors.  (No.  1 — page  28) 

•  the  guidance  includes  a  statement  that  governing  boards  evaluate  and  report 
publicly  their  own  performance  against  both  Alberta  public  sector  principles 
and  their  own  board  governance  policies.  (No.  2 — page  28) 

Our  audit  findings 

Alberta  public  sector  principles  and  guidance— implemented 
Framework  This  recommendation  has  been  implemented  through  the  Government  of  Alberta's 

ad°Pted  adoption  of  the  Public  Agencies  Governance  Framework  (the  Framew  ork)  in 

February  2008. 

The  Framework  was  in  response  to  At  a  Crossroads:  the  Report  of  the  Board 
Governance  Task  Force.  The  Task  Force's  October  2007  report  included 
recommendations  to  the  government  on  board  appointments,  orientation  and 
education,  and  evaluations.  The  Task  Force  also  recommended  that  the  Government 
of  Alberta  recognize  the  importance  of  agencies  by  passing,  as  a  priority,  an  Alberta 
Public  Agencies  Governance  Act1 . 

The  Framework  outlines  the  Government  of  Alberta's  policy  on  agency  governance. 
The  purpose  of  the  Framework  is  to  provide  clear  expectations  on  all  elements  of 
governance  including  accountability  and  transparency.  In  2009,  Bill  32  received 
Royal  Assent  and  introduced  the  Alberta  Public  Agencies  Governance  Act. 

We  reviewed  the  Framework  and  concluded  it  provides  adequate  guidance  to  public 
agencies.  The  Framework  includes  specific  information  for  boards  on: 

•  recruitment  and  appointment  of  directors 

•  term  lengths 

•  government  representation  on  boards 

•  orientation  and  education  of  directors 

•  ethics  and  conflicts  of  interest 

•  evaluation  of  boards  and  directors 


1  Alberta  Public  Agencies  Governance  Act  (Bill  32).  received  Royal  Assent  on  June  4.  2009,  but  has  not  yet  been  proclaimed 
in  force. 


Framework 
provides  adequate 
guidance 
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•  remuneration  of  boards 

•  use  of  committees 

We  also  reviewed  the  Act  and  noted  that  it  contains  requirements  related  to  the 
recruitment  of  members  (directors)  of  public  agencies.  The  Act  requires  public 
agencies  to  identify  the  skills  and  knowledge  required  of  directors  before  the 
recruitment  begins  and  to  base  the  appointment  on  those  attributes. 

Evaluating  board  performance  and  reporting  publicly— implemented 

This  recommendation  has  been  substantially  implemented  as  the  Framework 
requires  boards  to  evaluate  director  performance  and  board  successes.  The  Agency 
Governance  Secretariat  is  currently  working  with  boards  to  implement  the 
Framework  by  sharing  evaluation  tools  and  advice  with  boards. 

The  requirement  for  boards  to  publicly  report  their  own  performance  against  both 
Alberta  public  sector  principles  and  their  own  governance  policies  is  not  explicitly 
included  in  the  Framework.  However,  we  believe  that  sufficient  progress  has  been 
made  on  board  evaluations  to  allow  us  to  conclude  that  the  recommendation  has 
been  substantially  implemented.  We  continue  to  encourage  the  Agency  Governance 
Secretariat  to  support  such  public  reporting. 
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Our  first  report 
was  in  2008 


Our 

recommendations 
in  2008 


This  report  is 
about  the 

implementation  of 
the  Regulation 


Alberta's  Response  to  Climate 
Change— Part  2 

In  2002,  Alberta  released  its  first  climate  change  plan— Albertans  &  C  limate 
Change:  Taking  Action  and  in  2008  updated  it  with— Alberta 's  Climate  ( 'hange 
Strategy. 

In  October  2008,  we  reported  on  Alberta's  systems  to  develop  and  report  on  its 
climate  change  plans  and  strategies  {October  2008  Report,  page  93).  We  examined 
the  actions  that  the  government  planned  to  take  to  achieve  its  emissions  reduction 
targets,  including  how  implementing  the  Specified  Gas  Emitters  Regulation 
(the  Regulation)  would  help  in  achieving  those  targets. 

We  recommended  that  the  Department  of  Environment  create  a  master 
implementation  plan  for  the  actions  necessary  to  meet  its  climate  change  targets.  We 
found  that  the  government  had  set  targets  based  on  modeling  that  included  changes 
to  the  Regulation,  but  these  changes  were  not  included  in  the  2008  updated  plan.  We 
also  found  that  there  was  no  evidence  to  show  that  the  particular  actions  in  the 
updated  plan  would  result  in  targets  being  met. 

Also,  we  recommended  that  the  Department  improve  its  public  reporting  on 
Alberta's  success  and  costs  incurred  in  meeting  climate  change  targets.  We  found 
that  processes  to  ensure  data  reported  is  reliable  and  relevant  had  weaknesses.  We 
also  found  the  Department  needed  to  be  clearer  in  its  public  reporting  that  reductions 
made  under  the  Regulation  are  emissions  intensity  reductions  and  not  absolute 
reductions. 

As  the  Department  had  not  finished  reviewing  the  reports  required  from  facilities, 
we  deferred  our  audit  of  the  implementation  of  the  Regulation. 

1 .  Summary  of  our  2009  audit— monitoring 
compliance  with  the  Specified  Gas  Emitters 
Regulation 

What  we  examined 

This  Part  2  report  on  Alberta's  response  to  climate  change  covers  the 
Department's  implementation  of  the  Regulation.  Our  audit  objective  was  to 
determine  whether  the  Department  has  adequate  systems  to  ensure  facilities 
comply  with  the  requirements  of  the  Regulation. 
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The  Regulation  is 
key  to  Alberta 
meeting  its  targets 


Why  it  is  important  to  Albertans 

The  Regulation  is  important  because  it  establishes  emissions  limits  for  facilities 
that  emit  approximately  50%  of  the  greenhouse  gas  emissions  in  Alberta.  This 
legislative  requirement  was  taken  into  account  when  the  government  established 
its  long-term  climate  change  targets.  If  this  regulatory  program  doesn't  deliver 
expected  emissions  reductions,  the  government  will  have  to  obtain  more 
reductions  in  other  areas  than  originally  planned  for  or  amend  its  targets. 


Key  to  success  is  the  Department's  plan  to  use  payments  into  the  Climate 
Change  and  Emissions  Management  Fund  to  invest  in  initiatives  and  projects 
that  support  developing  and  implementing  technologies  that  will  reduce 
greenhouse  gas  emissions  and  improve  Alberta's  ability  to  adapt  to  climate 
change. 


System  is 
reasonable  given 
the  stage  of  its 
development 


What  we  found 

We  concluded  we  could  rely  on  the  Department's  system  to  ensure  facilities 
reported  their  obligations  in  compliance  with  the  Regulation.  Our  audit  opinion 
on  the  financial  statements  of  the  Climate  Change  and  Emissions  Management 
Fund  (Fund)  is  unqualified.  However,  in  our  opinion,  the  Department  can  make 
verifying  compliance  with  the  Regulation  more  efficient  by  implementing  our 
recommendations. 


The  Department  must  also  assess  whether  the  Regulation  is  cost-effective. 
What  needs  to  be  done 

The  Department  has  undertaken  a  significant  amount  of  work.  It  implemented 
the  system,  one  of  only  a  few  greenhouse  gas  regulatory  systems  currently  in 
place,  six  months  before  the  initially  planned  start  date.  The  systems  and 
processes  including  the  offsets  purchased  by  facilities  are  new  and  complex. 


System  needs 
these 

improvements 


To  strengthen  the  system  the  Department  needs  to: 

•  improve  its  guidance  to  facilities  and  verifiers 

•  improve  the  design  and  documentation  of  its  technical  review  process 

•  strengthen  its  offset  guidance  and  put  a  process  in  place  to  ensure  the 
Alberta  Emissions  Offset  Registry  performs  the  work  the  Department  needs 

•  amend  its  error  correction  threshold  so  that  it  also  considers  the  dollar 
impact  on  the  Fund  of  uncorrected  errors 

•  collect  sufficient  information  to  assess  the  cost-effectiveness  of  the 
Regulation 
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*  2.  Audit  objectives  and  scope 

*~  Our  audit  objective  was  to  determine  whether  the  Department  has  adequate 

w  systems  to  ensure  facilities  comply  with  the  requirements  of  the  Regulation.  We 

©  examined  the  systems  that  the  Department  uses  to: 

13  •     ensure  facilities  submit  accurate  and  complete  data  that  complies  with  the 

+~~)  Regulation 

w  •     measure  the  cost-effectiveness  of  the  Regulation. 

^  We  examined  the  systems  the  Department  had  developed  and  implemented  up 

®  to  the  end  of  July  2009. 

The  Department  was  in  the  process  of  assessing  facility  compliance  reports  and 

^  offsets  for  the  2008  compliance  period  when  we  concluded  this  audit.  The 

~  Department  was  also  assessing  some  of  the  offsets  submitted  for  the  2007 

compliance  period. 

o  3.  Understanding  climate  change  regulation 


O  Greenhouse  gas  (GHG)  regulatory  systems  follow  a  process  of  policy  creation, 

s3  results  measurement,  results  verification  and  public  reporting  on  achievement. 

>q  Alberta's  regulatory  system  also  follows  this  process. 

^  Policy  creation 

^  The  Legislative  Assembly  of  Alberta  passed  the  Climate  Change  and  Emissions 

O  Management  Act2  in  2003.  Next,  the  Specified  Gas  Reporting  Regulation'  was 

created  under  the  Act.  Facilities  emitting  more  than  100,000  tonnes  of 
^  C02  equivalent  emissions  (C02e)  have  to  report  their  emissions  annually  to  the 

Department.  The  Specified  Gas  Emitters  Regulation4  (the  Regulation)  was 

established  in  2007. 


The  Regulation  seeks  to  limit  the  intensity  of  emissions.  It  specifies  a  target 
level  of  emissions  intensity  for  each  facility  that  currently  emits  more  than 
100,000  tonnes  of  C02e  annually.  Emissions  intensity  is  the  ratio  of  the  total 
annual  C02e  emissions  to  the  total  annual  production  as  expressed  in  units  of 
production.  This  ratio  allows  facilities  a  specified  number  of  emissions  rights 
for  each  unit  of  production  added.  If  facilities  have  an  emissions  intensit) 
higher  than  their  specified  target,  they  must  either  pay  $15/tonne  into  the 
province's  Climate  Change  and  Emission  Management  Fund  (the  "fee"  part  of 
Alberta's  system)  or  purchase  emissions  performance  credits  (EPCs)  from 


Regulation  limits 

emissions 

intensity 


Facilities  that 
exceed  targets  can 
pay  into  Fund  or 
buy  EPCs  or 
offsets 


2S.A.  2003,  c.C- 16.7 

3  Alta.  Reg.  251/2004 

4  Alta.  Reg.  139/2007 
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another  facility  or  offsets  from  a  business  that  sells  carbon  offsets  (the  "trade" 
part  of  Alberta's  system). 


EPCs 


EPCs  are  credits  generated  by  facilities  that  have  achieved  decreases  in 
emissions  intensity  beyond  the  required  emissions  intensity  target.  The 
Department  allows  these  credits  to  be  sold  to  other  facilities  or  to  be  used  in 
subsequent  years. 


Offsets 


Offsets  are  emissions  reductions  (for  example,  wind  energy  projects)  or 
removals  (for  example,  reduced  tillage  projects)  from  activities  occurring  in 
Alberta.  The  activities  that  result  in  the  reduction  or  removal  are  not  required  by 
law  at  the  time  the  action  is  initiated. 


Emissions  intensity  targets  provide  an  incentive  for  facilities  to  become  more 
efficient  and  reduce  the  emissions  they  generate  per  unit  of  production. 
However,  since  the  targets  incorporate  the  amount  of  production,  the  targets 
don't  result  in  an  overall  cap  on  emissions  unless  facility  production  remains 
constant.  Under  such  a  system,  it  is  possible  that  facilities  could  meet  their 
emissions  intensity  targets  and  have  increased  their  overall  emissions  if  the 
level  of  production  increases.  Or  alternatively,  if  the  level  of  production  falls, 
facilities  may  not  have  met  their  intensity  targets  even  though  they  decreased 
their  overall  emissions. 

Results  measurement 

The  Department  created  guidance  for  facilities  on  the  types  of  emissions  they 
must  report  and  the  methods  they  must  use  to  measure  those  emissions. 


Measurement 

involves 

estimation 


GHGs  required  to  be  measured  by  the  Regulation,  include  carbon  dioxide 
(C02),  methane  (CH4),  nitrous  oxide  (N20),  hydrofluorocarbons  (HFCs), 
perfluorocarbons  (PFCs)  and  sulfur  hexafluoride  (SF6).  Facilities  can  measure 
the  amounts  of  GHGs  they  emit,  but  there  is  always  a  level  of  uncertainty 
associated  with  the  measurement  even  when  facilities  use  continuous  emission 
monitoring  to  directly  measure  the  amount  of  each  of  these  gases  emitted.  The 
measuring  equipment  provides  measurements  within  a  certain  range  of 
accuracy.  Also,  each  non-C02  gas  measurement  is  translated  into 
C02  equivalents,  using  global  warming  potential  factors,  published  by  the 
Intergovernmental  Panel  on  Climate  Change,  that  also  have  a  degree  of 
scientific  uncertainty. 


Cost  of 
measurement 


The  cost  of  measuring  GHG  emissions  under  the  Regulation  will  depend  on  the 
type  and  complexity  of  industrial  processes  a  facility  uses  and  the  extent  to 
which  it  had  GHG  measurement  systems  in  place  before  the  Regulation  was 
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passed.  The  costs  would  be  more  significant  in  facilities  that  have  to  buy  new 
equipment  to  comply  with  the  Regulations  reporting  requirements. 


Facilities  have  to 
provide  a 
compliance  report 
each  year 


Different  ways  of 
checking  accuracy 
of  compliance 
reports 


Department 
requires 

compliance  report 
to  be  verified  by  a 
third  party 


Audits  provide 
higher  level  of 
assurance 


Department 
requires  limited 
assurance  level 


Assurance 
standards 


Results  verification 

Facilities  that  are  subject  to  the  Regulation  are  required  to  provide  a  baseline 
report  to  the  Department.  Each  year,  facilities  are  required  to  provide  a 
compliance  report  indicating  whether  they  have  reduced  their  emissions 
intensity  by  the  amounts  required  in  the  Regulation. 

Governments  can  check  the  credibility  of  a  facility's  emissions  reports  by 
having  their  employees  check  the  report  at  the  facility.  Or  they  can  require  a 
facility  to  hire  an  independent  third  party,  called  a  verifier,  to  check  the 
information  supplied.  In  the  first  approach,  governments  incur  the  cost  of  the 
in-depth  checking;  in  the  latter,  facilities  bear  the  cost. 

The  Department  uses  both  approaches.  It  requires  all  facilities  to  have  their 
reports  independently  verified.  Companies  (project  proponents)  who  put 
together  offset  projects  are  also  required  to  have  the  offsets  independently 
verified.  In  addition,  Department  staff  perform  a  desk  review  of  facility  reports 
and  a  trend  analysis  on  the  emissions  and  production  of  each  facility.  The 
Department  also  hires  verifiers  to  perform  re-verifications  at  a  sample  of 
facilities  and  in  2007  for  all  offset  projects.  The  Department  has  developed 
guidance  documents  that  identify  the  responsibilities  of  facilities,  verifiers  and 
offset  project  proponents. 

When  governments  use  third  parties  to  verify  emissions  reports,  they  must 
decide  whether  they  require  the  third  parties  to  perform  an  audit  engagement  or 
a  limited  assurance  engagement.  The  third  party  provides  a  reasonable  level  of 
assurance  in  an  audit  engagement.  Although  not  absolute,  an  audit  is  the  highest 
level  of  assurance  a  third  party  can  provide.  In  a  limited  assurance  engagement 
(also  known  as  a  review  engagement),  the  third  party  provides  a  moderate  level 
of  assurance.  The  Department  requires  verifiers  to  perform  limited  assurance 
engagements. 

An  audit  requires  more  extensive  work  to  be  performed  to  obtain  the  reasonable 
level  of  assurance  and,  therefore,  costs  more  than  a  limited  assurance 
engagement. 

The  Department  requires  verifiers  to  follow  one  of  three  assurance  standards: 
•     International  Standards  Organization  14064  Greenhouse  gases— Part  3: 

Specification  with  guidance  for  the  validation  and  verification  of 

greenhouse  gas  assertions 
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•  Standards  for  Assurance  Engagements,  Canadian  Institute  of  Chartered 
Accountants  (CICA)  Handbook — Assurance  Section  5025 

•  International  Standards  on  Assurance  Engagements  3000 — Assurance 
Engagements  Other  Than  Audits  or  Reviews  of  Historical  Financial 
Information 


ISO  14064-3  reflects  the  specific  requirements  of  GHG  verification.  The  other 
two  standards  contain  general  guidance  on  providing  assurance,  but  do  not 
provide  specific  guidance  on  GHG  verification.  The  application  of  all  of  these 
standards  to  GHG  verification  is  relatively  new  given  that  regulation  of 
greenhouse  gases  in  the  world  is  in  its  infancy. 

Public  reporting 

For  each  compliance  period,  the  Department  of  Environment  reports  payments 
into  the  Fund,  offsets  and  emission  performance  credits  that  facilities  submit. 
The  Department  publishes  this  information  on  its  website. 

There  has  not  yet  been  a  public  report  on  Alberta's  accomplishments  and  the 
costs  incurred  in  meeting  the  climate  change  targets.  We  discussed  the  need  for 
public  reporting  in  our  October  2008  Report  (page  101).  The  government 
responded  that  public  reporting  is  planned  for  2010-201 1 . 

4.  Recommendations 

4.1  Data  quality 

Recommendation 

We  recommend  that  the  Department  of  Environment  strengthen  its 
guidance  for  baseline  and  compliance  reporting  by: 

•  clarifying  when  uncertainty  calculations  must  be  done 

•  prescribing  the  minimum  required  quality  standards  for  data  in  terms 
of  minimum  required  frequency  of  measurement  and  connection  to  the 
period  being  reported  on 

•  describing  the  types  of  data  controls  that  facilities  should  have  in  place 


Public  reporting 
planned  for 
2010-2011 


Different  GHG 

measurement 

approaches 


Background 

There  are  multiple  ways  in  which  a  facility's  selection  of  the  GHG 
measurement  approach  will  impact  the  degree  of  uncertainty  associated  with 
GHGs.  These  approaches  can  have  a  material  impact  on  the  GHG  emissions 
calculated.  For  example: 

•     monitoring  frequency — limited  data  measurements  taken  once  per  year  may 
not  accurately  represent  seasonal  variations  in  emissions  produced  from 
biological  processes  and  data  measurements  taken  outside  the  reporting 
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More  guidance 
needed  on  when  to 
do  uncertainty 
calculations 


period  may  create  material  uncertainty  as  to  the  actual  emissions  during  the 
reporting  period 

•  level  of  accuracy  for  monitoring  equipment— relying  on  certain  types  of 
flow  meters  for  gas  can  create  material  uncertainty  as  these  meters  may  be 
accurate  to  only  +/-10% 

•  frequency  of  calibration  of  monitoring  equipment 

•  conversion  factors/models/calculation  approach— changing  from  use  of  a 
factor  for  coal  (as  the  fuel  consumed)  to  direct  measurement  (of  gases 
emitted)  can  materially  change  calculated  emissions 

•  assumptions — using  assumptions  about  GHG  emissions  based  on  gas 
volumes  that  do  not  contemplate,  for  example,  the  change  in  volume 
associated  with  temperature  changes  will  result  in  an  incorrect  calculation 

Uncertainty  calculations  allow  both  the  Department  and  facilities  to  assess 
whether  the  data  is  potentially  so  inaccurate  that  another  measurement  and 
calculation  method  should  be  used. 

The  International  Organization  for  Standardization  (ISO)  is  a  worldwide 
federation  of  national  standards  bodies. 

ISO  has  developed  standards  for  the  measurement  of  GHGs.  ISO  14064-1 
specifies  principles  and  requirements  for  organizations  preparing  GHG 
inventories. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  of  Environment  should  clearly  define  and  communicate 
methodologies  for  calculating  emissions  and  production. 

Our  audit  findings 

The  Department  has  not  provided  sufficient  guidance  to  facilities  on  when  they 
must  do  uncertainty  calculations.  The  Department  does  not  prescribe  the  data 
measurement  methods  or  the  calculation  methods  for  estimating  emissions. 
Instead,  the  Department  recommends  that  facilities  use  one  of  four 
measurement  and  five  calculation  methods  indicated  in  the  guidance  for 
estimating  emissions. 

The  Department  also  allows  facilities  to  use  two  other,  less  accurate, 
measurement  methods  and  one  other  calculation  method  as  long  as  the  facilities 
can  show  that  the  level  of  uncertainty  in  the  calculation  would  not  materially 
affect  the  overall  accuracy  of  calculation  of  emissions.  The  guidance  would  be 
clearer  if  examples  were  provided  of  the  cases  when  an  uncertainty  analysis  is 
required,  rather  than  this  general  statement.  The  guidance  would  also  be  clearer 
if  it  indicated  the  methodology  for  completing  the  analysis. 
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ISO  14064-1  requires  facilities  to  assess  the  impact  of  uncertainty  on  the  data 
submitted.  We  consider  this  to  be  a  best  practice. 


More  guidance 
needed  on  data 
quality  and 
controls 


The  Department  has  not  provided  sufficient  guidance  about  data  quality 
standards.  There  is  no  minimum  data  quality  standard  for  calculating  GHG 
emissions.  We  found  two  cases  where  facilities  estimated  emissions  for  a 
material  emissions  source  using  data  collected  during  a  period  prior  to  the 
baseline  period. 


The  Department  has  also  not  provided  guidance  on  the  kinds  of  data  controls 
that  facilities  should  have  in  place,  such  as: 

•  calibration  of  equipment 

•  checks  over  manual  calculation  processes 

•  computer  controls  over  data  entry,  security  and  change  management 

Implication  and  risks  if  recommendation  not  implemented 

If  the  Department  does  not  strengthen  its  guidance,  the  opportunity  to  efficiently 
obtain  higher  quality  emissions  intensity  reporting  will  be  missed. 

4.2  Guidance  to  verifiers  of  facility  baseline  and  compliance  reports 
Recommendation  No.  3 

We  recommend  that  the  Department  of  Environment  strengthen  its 
baseline  and  compliance  guidance  for  verifiers  by  improving  the 
description  of  the  requirements  for: 

•  the  nature  and  extent  of  testing  required 

•  the  content  of  verification  reports 

•  assurance  competencies 


Verification 
criteria 


Background 

Verifiers  use  verification  criteria  to  determine  the  type  of  procedures  they 
should  perform.  Accuracy  of  emissions  data  is  an  example  of  a  verification 
criterion.  Checking  whether  meters  that  supply  measurement  data  are  accurately 
calibrated  is  an  example  of  one  of  the  procedures  that  may  be  used  to  test  the 
accuracy  of  data. 


Department 
requirements 


The  Department  requires  verifiers  to  provide  a  limited  assurance  engagement 
report  on  the  baseline  and  compliance  reports  submitted  by  facilities.  The 
Department  also  requires  verifiers  to  report  their  sampling  plan,  verification 
criteria,  procedures  performed  and  uncorrected  material  and  immaterial 
discrepancies  identified  from  the  verification. 
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Who  can  be  a 
verifier 


The  Regulation  requires  that  the  verifier: 

•  be  either  a  professional  engineer,  chartered  accountant  or  a  professional 
with  substantially  similar  competencies  and  practice  requirements,  and 

•  have  technical  knowledge  of  specified  gas  emission  quantification 
methodologies  and  audit  practices. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  of  Environment  should  plan  what  is  needed  to  achieve  the 
objectives  of  the  Regulation  by  clearly  defining  and  communicating  verifiers' 
required  competencies  and  the  work  verifiers  are  to  perform. 

The  Department  should  establish  verification  criteria  that  provide  relevant, 
complete,  reliable,  neutral  and  understandable  expectations  for  the  evaluation  of 
the  emissions  and  production  calculations. 


System  can  be 
more  efficient 


Our  audit  findings 

The  Department's  reliance  on  the  work  of  the  verifiers  was  reasonable.  Our 
observations  below  indicate  how  the  Department  can  make  the  system  more 
efficient. 


Guidance  should 
indicate 
verification 
criteria  to  be 
reported  against 


Verification  guidance 

The  Department's  guidance  to  verifiers  explains  that: 

•  there  is  a  difference  between  a  reasonable  assurance  (audit)  engagement 
and  a  limited  assurance  engagement 

•  the  normal  procedures  performed  in  doing  a  limited  assurance  engagement 
would  not  be  sufficient  for  performing  verifications  under  the  Regulation 

•  additional  data  systems  evaluation  and  data  testing  would  be  required 

•  the  procedures  performed  would  be  more  extensive  or  stringent  than  those 
performed  in  a  financial  statement  limited  assurance  engagement,  but  not 
as  much  as  the  procedures  performed  in  a  reasonable  assurance  (audit) 
engagement 

Our  interviews  with  verifiers  indicate  more  detail  is  needed  for  verifiers  to  be 
clear  about  the  extent  of  work  the  Department  requires  them  to  perform. 

Verification  reports  varied  substantively  in  content  and  often  were  not  sufficient 
to  meet  all  the  needs  of  the  Department.  The  Department  specified  that  the 
verifiers  should  use  verification  criteria  derived  from  the  Climate  Change  and 
Emissions  Management  Act5 ,  the  Regulation  and  the  technical  guidance 
documents.  The  Department  did  not  provide  a  detailed  listing  indicating  the 
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minimum  verification  criteria  and  procedures  that  the  Department  expected  the 
verifiers  to  perform  and  report  against. 

In  some  cases,  the  reports  indicated  that  the  verifiers  used  5%  of  emissions 
intensity  instead  of  5%  of  emissions  and/or  5%  of  production  as  the  tolerance 
limit  for  error.  Subsequently  the  Department  told  us  that  they  wanted  all  three 
limits  to  be  used  by  verifiers. 

In  the  sample  of  reports  we  reviewed,  only  two  reports  explained  how  the 
verifier  quantified  the  uncertainty  with  the  data  and  evaluated  that  when 
considering  the  5%  tolerance  limit. 

A  key  requirement  of  this  regulatory  program  is  that  facilities  should  use  the 
same  calculation  methodology  for  the  baseline  and  compliance  periods.  This  is 
required  because  it  is  possible  to  meet  the  emissions  intensity  obligations  by 
changing  the  calculation  methods  rather  than  by  any  improvement  in  efficiency. 
Testing  of  this  requirement  was  not  identified  in  all  verifier  reports. 

The  verification  reports  did  not  always  disclose  the  size  of  the  uncorrected 
errors.  The  Department's  guidance  also  does  not  require  that  verification  reports 
include  a  calculation  of  the  cumulative  impact  of  all  uncorrected  errors.  Most 
reports  in  our  sample  did  not  contain  this  information.  Such  information  makes 
it  easier  for  the  Department  to  determine  that  the  cumulative  uncorrected  errors 
are  within  the  5%  tolerance  limit. 


Minimum 
assurance  training 
requirements  for 
verifiers  were  not 
defined 


Verifier  qualifications 

There  is  no  guidance  on  the  specific  audit  training  that  individuals  performing 
verifications  should  have.  For  example,  courses  exist  that  provide  training  on 
GHG  verification  using  ISO  standards.  The  Department  has  not  assessed 
whether  these  courses  provide  sufficient  training  for  the  purposes  of  this 
Regulation  or  communicated  whether  these  courses  are  a  minimum  assurance 
requirement  for  verifiers.  The  Department  has  also  not  assessed  whether  the 
training  required  of  environmental  auditors  (who  are  not  chartered  accountants 
or  engineers)  provides  sufficient  technical  and  auditing  expertise. 


Additionally,  the  Department  allowed  verifiers  to  use  external  resources  for 
only  up  to  20%  of  the  verification  time  because  it  did  not  want  third-party 
verifiers  to  outsource  verification.  This  means  that  chartered  accountants  had 
limited  ability  to  hire  technical  quantification  expertise,  and  engineers  had 
limited  ability  to  hire  assurance  expertise  to  fill  in  any  competency  gaps. 
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Implication  and  risks  if  recommendation  not  implemented 

Having  clear  and  sufficient  guidance  for  verifiers  makes  it  more  likely  verifiers 
will  consistently  provide  all  the  information  the  Department  needs. 

4.3  Technical  review 
Recommendation 

We  recommend  that  the  Department  of  Environment  strengthen  its 
technical  review  processes  by: 

•  requiring  facilities  to  provide  a  process  map  with  their  compliance 
reporting  and 

•  ensuring  staff  document  their  follow-up  activity  and  decisions  in  the 
Department's  regulatory  database 

Background 

In  the  Department's  review  process,  technical  reviewers  who  are  professional 
engineers,  examine  each  baseline  and  compliance  submission  and  its  associated 
verification  report.  The  reviewers  use  a  checklist  to  document  their  findings  and 
recommend  to  management  whether  to  approve  the  submission  or  have  it 
re-verified. 

Facility  process  maps  outline  the  processes  a  facility  follows,  its  key  emission 
sources  and  key  pieces  of  equipment. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  monitor  facilities'  compliance  with  the  Regulation  by 
having  cost-effective  processes  to  enforce  compliance  and  follow  up  on 
deficiencies. 

Our  audit  findings 
Technical  review 

Overall,  we  found  that  the  Department  had  developed  reasonable  processes  for 
the  review.  The  reviewers  detected  errors  indicating  where  more  guidance  is 
necessary. 

Opportunities  for  We  found  the  following  opportunities  to  improve  the  Department's  processes: 

improvement  #     The  tccnnjcaj  reviewer  who  completed  the  review  checklist  was  not 

identified  in  the  checklist. 

•  The  reviewers  entered  only  limited  information  into  the  review  checklists, 
even  in  cases  where  they  noted  problems.  This  made  it  difficult  to 
understand,  without  talking  to  the  reviewer,  how  issues  were  followed  up 
and  resolved.  This  knowledge  is  lost  when  reviewers  change  employment. 

•  Generally,  the  reviewers  did  not  contact  the  verifiers  to  clarify  information 
in  the  verification  reports  or  inquire  about  information  that  was  missing, 
but  needed  by  the  Department.  The  Department  told  us  that  the  reviewers 


Department  staff 
perform  reviews 
of  baseline, 
compliance  and 
offset  reports 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


45 


Environment 


Alberta's  Response  to  Climate  Change — Part  2 


did  not  contact  the  verifiers  because  the  Department  does  not  have  a 
contractual  relationship  with  verifiers,  who  are  hired  by  the  facilities.  This 
situation  constrains  the  Department's  ability  to  assess  the  verification 
process  and  results. 

•  Specific  evidence  standards  were  not  in  place  for  additional  evidence 
facilities  provide  directly  to  the  reviewers  in  response  to  questions  arising 
during  the  review.  The  accuracy  of  this  data  was,  therefore,  not  known. 

•  Facilities  provided  reviewers  with  narratives  of  the  processes  used  at  each 
facility.  However,  there  was  no  requirement  for  facilities  to  provide  process 
maps.  These  maps  would  be  useful  in  helping  reviewers  understand  the 
processes  used  at  the  facilities. 

Implication  and  risks  if  recommendation  not  implemented 

Without  well-designed  and  documented  processes  to  assess  the  quality  of 
facility  submissions  and  verification  reports,  the  Department  will  not  efficiently 
detect  non-compliance  with  the  Regulation. 

4.4  Use  of  offsets  to  meet  compliance  obligations 
Recommendation  No.  4 

We  recommend  that  the  Department  of  Environment: 

•  strengthen  its  offset  protocols  to  have  sufficient  assurance  that  offsets 
used  for  compliance  are  valid 

•  assess  the  risk  of  offsets  applied  in  Alberta  having  been  used  elsewhere 
in  the  world 

Background 

Facilities  that  are  subject  to  the  Regulation  can  purchase  offsets  to  meet  their 
compliance  obligation.  Eligible  offsets  must  meet  criteria  defined  by  the 
Department.  Offsets  must: 

•  result  from  actions  taken  on  or  after  January  1 ,  2002 

•  be  real,  demonstrable  and  quantifiable 

•  not  be  from  an  action  required  by  law 

•  have  clearly  established  ownership 

•  be  counted  only  once  for  compliance  purposes 

•  be  verified  by  a  qualified  third  party  to  a  limited  level  of  assurance 

•  be  based  on  action  that  occurred  in  Alberta 

The  Department  also  approved  protocols  that  a  project's  proponent  must  follow 
to  quantify  the  offset  available  from  a  project's  emission  reductions.  The 
Department  decided  to  allow  only  offsets  created  in  Alberta.  As  a  result,  in 
developing  the  protocols,  the  Department  needed  to  ensure  that  its  protocols 
reflect  relevant  climate,  temperature  and  soil  conditions  in  Alberta. 
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The  Alberta 
Emissions  Offset 
Registry  records 
offsets  used  for 
compliance 


Offset  guidance 
developed 


Need  to  define 
information  to 
corroborate  tillage 


Once  offset  tonnes  are  verified,  the  project  proponent  may  choose  to  register  the 
tonnes  with  the  Alberta  Emissions  Offset  Registry  administered  by  Climate 
Change  Central.  The  Department  does  not  require  registration  of  verified  offset 
tonnes  until  a  facility  submits  the  offsets  to  the  Department  to  meet  a  facility 
compliance  obligation.  At  that  point,  the  Department  requires  the  project 
documentation  to  be  posted  on  the  Registry  website. 

The  Department  developed  guidance  documents  for  both  the  project's 
proponent  and  its  verifier.  All  offset  projects  used  for  compliance  in  the  2007 
reporting  period  were  re-verified  by  verifiers  hired  by  the  Department. 

GHG  regulation  is  evolving  in  North  America  and  the  world.  At  this  time,  there 
is  no  one  registry  that  records  all  of  the  offsets  registered  and  used  throughout 
the  world. 

Criteria:  the  standards  we  used  in  our  audit 

The  Department's  guidance  for  offset  projects  and  for  the  verification  of 
reductions  from  offsets  should  be  sufficiently  robust  to  ensure  that  the  offsets  are 
valid. 

Our  audit  findings 

Tillage  guidance 

The  offset  protocols  allowed  offsets  to  be  claimed  for  activities  that  occurred  in 
the  2002-2006  period,  well  before  the  timing  of  any  verification  activities.  For 
the  tillage  protocol,  the  Department  identified  "farm  records  and  an  affirmation 
from  the  project  developer"  as  the  source  of  evidence  for  no-till  and  reduced-till 
practices,  but  did  not  indicate  required  sources  of  corroborating  evidence  to 
substantiate  the  records. 

In  our  opinion,  the  level  of  evidence  defined  as  acceptable  by  the  Department 
falls  below  that  which  is  necessary  to  provide  assurance  that  the  offset  credits 
actually  existed.  The  Department  should  work  with  project  proponents  to 
identify  other  sources  of  evidence  that  the  proponents  will  be  able  to  collect  and 
the  verifiers  will  be  able  to  test.  We  acknowledge  that  in  the  2007  compliance 
period,  through  the  processes  of  verification  and  re-verification,  the  Department 
obtained  assurance  that  verifiers  collected  corroborating  evidence.  We  also 
acknowledge  that,  by  the  end  of  our  audit,  the  Department  was  in  the  process  of 
assessing  the  2008  offsets  used  for  compliance  reporting. 

The  definition  in  the  protocol  for  no-till  and  reduced-till  practices  uses  the  terms 
^tillage"  and  "cultivation"  without  defining  them.  The  terms  should  be  defined 
to  ensure  consistent  understanding  of  tillage  practices. 
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Eligibility 
guidance  needs 
clarification 


Landfill  guidance 

The  offset  credit  project  guidance  document  addresses  project  eligibility  in 
several  sections.  However,  the  wording  used  to  describe  which  projects  are 
eligible  is  not  consistent  between  different  sections  of  the  guidance  document. 
As  a  result,  there  is  increased  uncertainty  as  to  which  projects  should  be 
considered  eligible.  For  example,  one  section  of  the  guidance  document 
determines  eligibility  based  on  the  date  landfill  gas  is  first  combusted  under 
controlled  conditions  or  on  the  first  date  of  system  operation;  another  section 
bases  eligibility  on  reductions  being  additional  to  what  would  otherwise  have 
occurred  in  Alberta,  prior  to  the  release  of  the  2002  climate  change  plan. 


These  approaches  can  yield  different  answers.  There  is  also  no  guidance  given 
on  the  evidence  that  proponents  should  have  in  place  to  support  being  additional 
to  what  would  have  occurred  otherwise. 


Protocols  should 
require  certain 
adjustments 


Assumptions  in  protocols 

The  Department's  offset  protocols  contain  assumptions  that  affect  the 
calculation  of  the  emissions  in  the  baseline  activity  which  may  not  be  accurate 
for  all  cases.  For  example: 

•  the  landfill  protocol  has  an  assumption  about  the  efficiency  of  an  open  flare 
which  one  verifier  identified  as  potentially  inaccurate. 

•  in  the  2007  afforestation  protocol,  the  baseline  activity  is  presumed  to  be  a 
prescribed  burn  of  the  land.  Project  proponents  are  not  required  to 
demonstrate  whether  this  is  a  correct  assumption  for  their  land;  therefore, 
they  do  not  have  to  justify  their  claim  for  these  credits.  We  acknowledge 
that  the  Department  has  since  removed  this  protocol. 

None  of  the  protocols  are  clear  in  requiring  project  proponents  to  adjust 
assumptions  in  the  protocols  about  sources  and  sinks  where  they  do  not 
accurately  reflect  the  sources  and  sinks  for  the  project.  As  a  result,  projects  may 
be  verified  in  accordance  with  the  protocols  when  in  fact,  the  actual  emission 
reduction  or  carbon  sequestration  is  significantly  different  than  that  calculated 
using  the  protocol. 


The  offset  credit  project  guidance  document  indicates  that  verifiers  need  to 
check  whether  project  proponents  have  ownership.  The  guidance  does  not 
specify  the  controls  and  processes  that  should  be  in  place  when  a  project 
proponent  does  not  obtain  ownership,  and  is  instead  acting  as  agent  for  the 
owners  of  the  credits.  The  guidance  also  does  not  indicate  the  procedures  that 
offset  project  verifiers  and  compliance  report  verifiers  should  do  to  verify 
ownership  in  this  case. 
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ISO  14064-2  identifies  the  principle  of  conservativeness  in  relation  to  offset 
projects.  This  is  a  key  principle  that  exists  to  help  ensure  that  offset  projects  do 
not  overstate  emission  reductions.  The  Department's  guidelines  do  not  clearly 
incorporate  this  principle,  which  has  general  application  on  offset  projects  and 
acts  to  ensure  any  emission  reductions  claimed  are  real,  particularly  where 
uncertainty  exists  in  relation  to  some  of  the  data. 

Processes  to  detect  duplicate  offsets 

The  Alberta  Emissions  Offset  Registry  has  an  automated  process  to  check  that 
tillage  offsets  are  used  only  once  in  Alberta  by  checking  the  legal  land 
description.  While  proponents  are  supposed  to  notify  the  Registry  if  ownership 
has  changed,  there  is  no  automated  process  to  check  for  non-tillage  projects. 
There  is  also  no  process  for  any  of  the  offset  projects,  other  than  an  assertion  by 
the  project  proponent,  to  confirm  that  the  offsets  have  not  been  previously 
posted  to  another  registry  and  sold  elsewhere  in  the  world. 

The  Department  has  not  yet  assessed  the  risk  that  offsets  could  be  posted  to 
another  registry. 

Implication  and  risks  if  recommendation  not  implemented 

Facilities  may  meet  their  compliance  obligations  through  purchasing  offsets  that 
are  not  valid. 

4.5  Outsourced  service  providers 
Recommendation 

We  recommend  that  the  Department  of  Environment  develop  controls  to 
gain  assurance  that  data  hosted  or  processed  by  third  parties  is  complete, 
accurate  and  secure. 

We  also  recommend  that  the  Department  of  Environment  formalize  its 
agreement  with  its  service  provider  for  the  Alberta  Emissions  Offset 
Registry. 

Background 

Outsourced  services 

The  Department  relies  on  Climate  Change  Central  (C3)  to  develop  and 
administer  the  Alberta  Emissions  Offset  Registry.  C3  is  responsible  for 
ensuring: 

•  offset  proponents  provide  all  required  documentation  to  support  the  offsets 

•  serial  numbers  are  provided  for  all  offsets 

•  changes  in  ownership  are  recorded 

•  there  are  no  duplicate  tillage  projects  on  the  Registry 


Process  for 
checking  for 
duplicates  should 
be  broadened 


Alberta  Emissions 
Offset  Registry 
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•  offsets  that  have  been  used  to  reduce  facility  compliance  obligations  are 
recorded 

C3  is  a  not-for-profit  company. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  implement  reliable,  secure  and  effective  administrative 
systems  to  support  the  Specified  Gas  Emitters  Regulation  program. 

Our  audit  findings 

We  found  that: 

•  The  Department  does  not  have  a  process  to  periodically  verify  that  C3  is 
performing  all  functions  the  Department  requires. 

•  The  Department  does  not  have  a  signed  agreement  with  C3. 

Implications  and  risks  if  recommendation  not  implemented 

Without  effective  controls  over  services  the  Department  obtains  from 
outsourced  service  providers,  the  Department  cannot  demonstrate  that  its  data  is 
complete,  accurate  and  will  be  available  when  needed. 

4.6  Error  correction  threshold 
Recommendation 

We  recommend  the  Department  of  Environment  establish  an  error 
correction  threshold  that  considers  not  only  the  percentages  of  emissions  or 
production,  but  also  the  dollar  impact  on  the  Climate  Change  and 
Emissions  Management  Fund. 

Background 

The  Department  requires  facilities  to  correct  errors  found  by  verifiers  if  they 
exceed  5%  of  the  total  reported  emissions  and/or  production,  either  individually 
or  in  aggregate. 

Criteria:  the  standards  we  used  in  our  audit 

The  Department  should  monitor  facilities'  compliance  with  the  Regulation  by 
having  cost-effective  systems  to  ensure  facilities  accurately  and  completely 
calculate  and  record  fees  owing  to  the  Fund. 

Our  audit  findings 

The  Department's  guidance  to  verifiers  indicates  that  it  will  not  require 
facilities  to  adjust  reporting  errors  if  the  error  is  less  than  5%  of  emissions 
and/or  production.  When  creating  the  error  correction  threshold,  the  Department 


6  Alta.  Reg.  139/2007 
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did  not  determine  what  the  effect  of  this  threshold  could  be  in  terms  of  revenue 
not  being  required  to  be  remitted  to  the  Fund.  The  Department  later  calculated 
that  the  maximum  possible  annual  amount  of  errors  tolerated  under  a  5% 
threshold  would  be  approximately  $130  million.  This  calculation  assumes  the 
unlikely  scenario  that  all  facilities  made  errors  in  both  baseline  and  compliance 
reporting. 

Notwithstanding  the  guidance  provided  to  verifiers  and  facilities,  the 
Department  exercised  its  judgment  to  decide  which  errors  below  5%  should  be 
corrected  by  the  facilities  and  whether  the  correction  should  be  done 
retroactively  or  prospectively.  The  Department  did  not  create  a  formal  guideline 
for  its  staff  that  would  ensure  facility  errors  less  than  the  5%  were  treated 
consistently.  Nor  did  the  Department  quantify  the  dollar  amount  of  the  errors 
that  it  allowed  to  remain  uncorrected. 

Implication  and  risks  if  recommendation  not  implemented 

The  Department  is  unable  to  demonstrate  that  its  error  correction  threshold  is 
appropriate. 

4.7  Cost-effectiveness  of  regulatory  processes 
Recommendation  No.  5 

We  recommend  that  the  Department  of  Environment  assess  the  cost- 
effectiveness  of  the  Specified  Gas  Emitters  Regulation. 

Background 

The  European  Union  Emissions  Trading  Scheme  (the  Scheme)  is  an  example  of 
one  of  only  a  few  GHG  reduction  regulatory  systems  currently  in  place.  The 
National  Audit  Office  (NAO)  in  England  recently  concluded  a  review  on  the 
Scheme.7  For  the  period  reviewed  by  the  NAO,  the  Scheme  required  companies 
to  report  C02  emissions,  but  not  the  emissions  associated  with  other  GHG 
gases.  The  NAO  reported  that  companies  responding  to  its  October  2008  survey 
indicated  "they  had  average  annual  costs  of  monitoring  and  reporting  of 
£26,000  [approximately  $46,000  CAD]  and  average  annual  verification  costs  of 
£9,000  [approximately  $16,000  CAD].,, 

Criteria:  the  standards  we  used  in  our  audit 

The  Department  should  monitor  the  cost-effectiveness  of  the  Regulation. 

Costs  are  those  incurred  by  facilities  and  the  Department  in  implementing  the 
Regulation.  Effectiveness  is  actual  emissions  intensity  reductions  in  relation  to 
targets. 


7  European  Union  Emissions  Trading  Scheme:  A  Review  by  the  National  Audit  Office  March  2009. 
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Department  needs 

benchmarking 

information 


Our  audit  findings 
Benchmarking  information 

The  Department  has  information  on  the  hours  spent  by  verifiers  and  the  costs  of 
verifications  only  in  cases  where  it  required  re-verifications.  Having 
information  on  the  hours  spent  and  the  verifier  costs  for  all  facilities  would  help 
the  Department  to  better  understand  the  verifications  being  done. 


The  Department  does  not  collect  information  that  would  allow  it  to  compare 
facilities'  costs  of  preparing  compliance  reports  to  others,  for  example,  in  the 
NAO  survey. 


Model  used  to 
predict  effect  of 
contribution  rate 
on  emissions 
reductions 


Modeling  information  to  assess  facility  emission  reduction  costs 

The  main  purpose  of  the  Regulation  is  to  support  Alberta's  commitment  to  take 
effective  action  on  climate  change.  The  Department  uses  a  model  to  estimate 
the  amount  that  the  $15/tonne  contribution  rate  would  have  to  increase  before 
facilities  would  choose  to  make  emissions  reductions  instead  of  contributing  to 
the  Fund. 


The  Department  uses  a  model  partly  because  it  has  concluded  that  obtaining 
such  information  from  facilities  would  be  difficult.  Instead,  the  Department 
plans  to  test  the  accuracy  of  the  model  if  and  after  the  Department  changes  the 
contribution  rate.  Even  though  it  may  be  difficult  to  obtain  direct  information 
from  facilities,  we  believe  it  would  be  preferable  to  test  the  accuracy  of  the 
model  by  getting  information  from  the  facilities  prior  to  making  any  rate 
changes. 

Reasonable  assurance  versus  limited  assurance 

The  Department  decided  to  have  verifications  for  baseline,  compliance  and 
offset  reports  at  a  limited  (moderate)  assurance  level  instead  of  a  reasonable 
(audit)  level  of  assurance. 

European  firms  required  to  comply  with  the  Scheme  must  have  their  emissions 
verified  by  third  parties  using  an  audit  level  of  assurance.  The  Government  of 
Canada's  proposed  offset  program  also  requires  verification  to  be  done  using  an 
audit  level  of  assurance.  The  Department  should  seek  to  understand  why  these 
regulators  chose  an  audit  level  of  assurance. 

Implication  and  risks  if  recommendation  not  implemented 

The  Department  will  not  know  whether  the  results  achieved  by  the  Regulation 
justify  costs  incurred  by  the  facilities  and  the  Department. 


More  information 
needed  to  assess 
appropriate 
assurance  level 
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Public  Affairs  Bureau— Media 
Contracting  Services 

1.  Summary 

What  we  examined 

From  1996  to  2008,  the  Public  Affairs  Bureau  (PAB)  contracted  Highwood 
Communications  Ltd.  (Highwood)  as  its  Agency  of  Record  for  Media  Buying 
(Media  Buyer),  to  arrange  and  purchase  media  services  for  government.  The 
contract  required  Highwood  to  buy  print  and  electronic  media  services  on 
PAB's  behalf,  for  which  Highwood  earned  a  4%  service  fee. 

To  ensure  a  competitive  process,  the  media  buying  contract  expired  every  three 
years.  The  contract  was  awarded  to  Highwood  on  three  occasions.  After  the 
most  recent  competition,  PAB  awarded  the  contract  to  DDB  Canada,  in 
June  2008. 

In  July  2008,  Highwood  filed  a  Notice  of  Intention  to  Make  a  Proposal 
(Proposal)  under  the  Bankruptcy  and  Insolvency  Act  (BIA)!  as  it  could  not  pay 
$5.3  million  of  liabilities  due  to  its  creditors.  We  estimate  that  at  least  35%  of 
these  liabilities  related  to  government  media  purchases,  where  the  government 
had  paid  Highwood  in  full  but  Highwood  had  not  paid  the  actual  service 
suppliers. 

Our  audit  examined  how  the  PAB  monitors  terms  and  conditions  of  its  media 
buying  contract.  We  did  not  audit  Highwood's  books  and  records  or  examine 
the  reasons  for  its  business  failure,  as  this  falls  within  the  purview  of  the  BIA. 

Why  this  is  important  to  Albertans 

Each  year,  the  Alberta  government  spends  about  $6  million  to  communicate 
with  Albertans  through  various  media  campaigns.  These  campaigns  range  from 
telling  the  public  about  a  new  government  program  to  making  public  service 
announcements  about  fire  bans,  for  example.  Albertans  need  to  be  confident 
that  public  funds  for  these  media  services  are  spent  wisely. 

What  we  found 

We  found  that  PAB  and  the  departments  have  adequate  systems  to  monitor  the 
media  services  contract.  The  PAB  and  departments  followed  good  practices, 
paying  the  Media  Buyer's  final  invoices  only  after  ensuring  that  the  media 


1  Bankruptcy  and  Insolvency  Act,  R.S.C.  1985,  c.  B-3. 
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services  were  actually  received.  Overall,  we  found  the  government  received  the 
media  services  it  paid  for. 


PAB  monitoring 
new  media  buyer 


The  PAB  did  not  obtain  assurance  from  Highwood  that  it  was  paying  its 
creditors  and  was  therefore  unaware  of  Highwood' s  deteriorating  financial 
condition.  The  PAB  has  chosen  to  require  its  new  contractor,  DDB  Canada,  to 
regularly  demonstrate  that  it  pays  its  suppliers  of  media  services  for  work 
performed  on  behalf  of  the  government. 


Government  at 
risk  if  media 
supplier  not  paid 


The  Media  Buyer's  nonpayment  of  media  suppliers  may  pose  certain  risks  to 
the  government,  such  as  disruption  of  media  services.  In  addition,  there  may  be 
other  risks  that  the  government  has  not  fully  assessed,  such  as: 

•  not  receiving  services  already  fully  paid  for 

•  damage  to  government's  reputation 

•  exposure  to  potential  claims  of  liability 


PAB  has  other 
contracts  requiring 
risk  assessments 


These  risks  may  also  apply  to  other  PAB  contracts.  The  PAB  has  three  other 
Agency  of  Record  contracts  for  human  resources  recruitment,  legal  tenders  and 
informational  advertising.  PAB  has  not  conducted  an  assessment  of  the 
potential  risks  associated  with  these  contracts.  A  risk  assessment  would  help 
government  identify  and  manage  its  risks. 


How  well  does 
PAB  monitor 
media  buying 
contract? 


What  needs  to  be  done 

The  PAB  needs  to  assess  its  Agency  of  Record  contracts  to  identify  risks  such 
as  disruption  of  services,  and  develop  ways  to  manage  these  risks. 


2.  Audit  objectives  and  scope 


Our  objective  was  to  examine  how  PAB  monitors  the  service  contract  with  its 
Media  Buyer.  Our  scope  was  to  examine  contracts  with  Highwood 
Communications  Ltd.  from  1996  to  2008,  as  well  as  the  contract  currently  in 
place  with  DDB  Canada.  We  examined  documents  and  conducted  interviews  at 
several  government  departments,  as  well  as  interviewed  Highwood' s 
management  and  the  Trustee  in  Bankruptcy  (Trustee)  who  administered 
Highwood's  Proposal  under  the  BIA. 


Did  not  audit 
Highwood's  books 
and  records 


We  did  not  audit  Highwood's  books  and  records  relating  to  payments  it 
received  from  government;  nor  did  we  examine  the  reason  for  its  financial 
difficulties.  That  is  the  responsibility  of  the  Trustee. 
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3.  Background 

The  PAB  is  a  branch  of  the  Government  of  Alberta's  Ministry  of  Executive 
Council;  it  assists  government  departments  in  purchasing  media  services.  The 
PAB  coordinates  all  advertising  competitions  for  the  Government  of  Alberta 
and  manages  all  cross-government  advertising  contracts.2  It  is  also  responsible 
for  developing,  implementing  and  monitoring  compliance  with  the 
government's  communications  objectives  as  well  as  its  advertising  policy  and 
procedures. 

The  PAB  contracts  the  government's  media  buying  requirements  to  its  Media 
Buyer.  The  Media  Buyer  works  directly  with  advertising  service  providers  to 
supply  media  services  to  the  government  departments.  It  is  the  Media  Buyer's 
responsibility  to: 

negotiate  rates  for  media  services 
coordinate  the  purchase  of  media  time  or  space 
prepare  insertion  orders 

provide  post-buy  analyses  to  departments  or  programs 
facilitate  invoicing  and  to  pay  suppliers 
report  on  all  the  advertising  buying  activity  to  PAB 

The  government  has  no  direct  contractual  relationship  with  media  suppliers. 
Rather,  the  Media  Buyer  contracts  directly  with  media  suppliers  and  is 
responsible  for  paying  them.  The  Media  Buyer  then  submits  its  invoices  to  the 
departments  that  actually  received  the  services. 

Highwood  made  annual  purchases  from  media  suppliers  such  as  newspapers, 
radio  and  television  stations  in  the  range  of  $4.6  to  $7.6  million  and  received  a 
4%  service  fee  on  these  purchases.  The  contract  did  not  have  a  maximum 
amount.  The  following  table  illustrates  payment  details: 


Yearly  media  buys 


Fiscal  Year 

Payments  to 
Highwood3 

Media 
Portion 

Highwood's 
Service  Fees 

2007/08 

6,766,336 

6,506,092 

260,244 

2006/07 

6,465,101 

6,216,443 

248,658 

2005/06 

7,595.533 

7.303,397 

292,136 

2004/05 

5,525,864 

5,310,331 

215,533 

2003/04 

4,590,844 

4.414,273 

176,571 

Totals 

$30,943,678 

$29,753,536 

$1,190,142 

2  Contracts  for  advertising  include  employment  openings,  program  changes  and  other  issues  that  the  government  needs  to 

provide  information  with  the  public. 
1  As  reported  in  the  General  Revenue  Fund-  Details  of  Grants.  Supplies,  Services,  Tangible  Capital  Assets  and  Other 

Payments  by  Payee. 
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Media  purchase 
process 


The  process  for  media  purchases  was  that: 

•  A  department  would  contact  Highwood  directly,  outlining  media  details 
and  dates  for  the  campaign. 

•  Highwood  would  make  the  media  buy  requested  by  the  department. 

•  Following  the  industry's  standard  practice,  Highwood  would  pre-bill,  and 
the  department  would  pre-pay  up  to  80%  of  the  media  costs  and 
Highwood's  service  fee. 

•  Highwood  would  send  a  final  invoice  for  the  remaining  20%  of  the  media 
cost  and  Highwood's  service  fee  directly  to  the  department. 

•  Highwood  prepared  quarterly  reports  on  media  spending,  which  they 
distributed  directly  to  the  departments  and  PAB. 


Highwood  files 

Proposal 


In  June  2008,  PAB  awarded  the  Media  Buyer  contract  to  DDB  Canada.  On 
July  11,  2008,  Highwood  filed  a  Proposal  under  Part  III  of  the  BIA.  A  Trustee 
administering  the  proposal  determined  that  Highwood  had  $5.3  million  of 
liabilities  to  unsecured  creditors  and  realizable  assets  of  only  $2.1  million. 


Trustee's  role 


Under  the  BIA,  a  Trustee  is  licensed  by  the  Superintendent  of  Bankruptcy  to 
administer  proposals  and  bankruptcies  and  manage  assets  held  in  trust.  A 
Trustee  can  give  a  debtor  information  and  advice  about  the  proposal  and 
bankruptcy  processes  and  must  make  sure  that  the  debtor's  rights  and  the 
creditor's  rights  are  respected.  A  Trustee  has  a  mandate  to  locate  and  secure 
assets  on  behalf  of  the  estate  for  the  benefit  of  creditors. 


4.  Our  findings  and  recommendation 

PAB's  Agency  of  Record  risk  assessment 
Recommendation 

We  recommend  that  the  Public  Affairs  Bureau  conduct  a  risk  assessment 
of  its  Agency  of  Record  contracts  and  develop  a  plan  to  manage  the  risks  it 
identifies. 


Highwood  media 
buyer  from  1 996 
to  2008 


DDB  Canada 
becomes  media 
buyer  in  2008— 
Highwood  files 
proposal 


Background 

The  PAB  signed  a  Media  Buyer  three-year  contract  with  Highwood  in  1996  and 
1999.  The  1999  contract  had  a  one-year  extension.  In  2003,  PAB  and 
Highwood  signed  a  third  three-year  Media  Buyer  contract.  This  contract  was 
extended  twice.  All  contracts  were  awarded  through  an  open  competition. 

In  June  2008,  PAB  signed  a  contract  with  DDB  Canada  as  the  Media  Buyer.  In 
July  2008,  Highwood  filed  a  Proposal  under  Part  III  of  the  BIA.  At  the  time, 
Highwood  had  liabilities  of  $5,260,746,  and  realizable  assets  of  $2,064,000.4 
Determining  the  exact  amount  of  liabilities  that  related  to  government  media 
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buys  would  have  required  considerable  audit  work  at  Highwood  and  its  sen  ice 
suppliers,  which  was  beyond  the  scope  of  this  audit.  However,  on  the  basis  of  a 
high-level  analysis,  we  estimate  that  at  least  35%  of  Highwood's  liabilities 
related  to  government  media  buys. 

Criteria:  the  standards  we  used  for  our  audit 

The  PAB  should  have  effective  processes  to  assess  risks  and  benefits  when 
entering  into  business  contracts. 


PAB  now 
monitoring  media 
buyer  to  ensure 
creditors  paid 


Departments  have 
adequate  systems 
to  pay  invoices 


Media  buyer 
provides  valuable 
service 


DDB  Canada 
contract  different 
from  Highwood's 
contract 


Our  audit  findings 

We  found  that  PAB  has  adequate  systems  in  place  to  monitor  the  service 
contract  with  its  Media  Buyer  and  that  the  government  received  the  media 
services  it  paid  Highwood  for.  In  2008,  PAB  introduced  a  system  for 
monitoring  the  Media  Buyer's  payments  to  media  suppliers  after  conducting  a 
risk  assessment  of  this  contract.  However,  PAB  has  three  other  Agency  of 
Record  contracts5  that  have  not  been  assessed  for  risk  issues. 

We  found  that  the  departments  have  adequate  systems  for  paying  the  Media 
Buyer's  invoices.  There  are  close  working  relationships  between  department 
communications  branches  and  program  areas.  The  Media  Buyer's  invoices  were 
usually  sent  first  to  a  department's  communications  branch  for  processing.  The 
communications  branch  would  then  ensure  the  campaign  associated  with  the 
invoice  was  running  and,  to  the  extent  possible,  confirm  that  the  various  media 
activities  were  taking  place.  The  communications  branch  would  forward  the 
invoice  to  the  department's  program  area  for  their  approval  and  payment. 

The  departments  told  us  the  Media  Buyer  provides  a  valuable  service.  We  heard 
numerous  positive  comments  about  a  Media  Buyer's  value,  from  coordinating 
various  media  buys  on  short  notice  to  providing  guidance  as  to  the  best  ways  to 
reach  various  target  audiences.  We  were  also  told  that  this  service  would 
generally  not  be  something  that  government  employees  could  provide,  because 
it  requires  constantly  updated  industry  experience  and  contacts. 

The  DDB  Canada  contract  signed  in  2008  had  several  differences  from  the 

2003  Highwood  contract.  These  changes  included: 

•     The  Media  Buyer's  advanced  bill,  and  therefore  the  department's 

pre-payment  of  media  services,  has  increased  from  80%  to  100%o  of  the 

media  costs  and  service  fee. 


5  These  agencies  provide  human  resources,  legal  tender  and  informational  advertising  services. 
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The  Media  Buyer  now  keeps  tear  sheets  or  other  service  confirmations  on 
their  files  instead  of  submitting  them  with  invoices  to  the  departments.  The 
invoices  are  paid  before  the  tear  sheets  are  available. 


Increased  risk, 
PAB  monitoring 
DDB  Canada 


Under  their  current  contract  with  DDB  Canada,  PAB  has  implemented  a 
process  to  verify  that  media  service  providers  are  being  paid  by  the  Media 
Buyer.  The  process  to  verify  that  the  Media  Buyer  is  paying  the  media  suppliers 
has  added  importance  as  the  pre-payment  of  the  Media  Buyer's  invoices  has 
increased  from  80%  to  100%. 


PAB  has  other 
contracts  requiring 
risk  assessment 


Given  its  experience  with  Highwood  and  the  risks  associated  with  pre-paying 
for  services,  PAB  should  conduct  a  risk  assessment  of  its  contractual 
arrangement  with  its  three  other  Agencies  of  Record.  This  assessment  would 
include: 

•  identifying  the  risks  associated  with  each  contract,  whether  they  are 
financial,  legal  or  reputational 

•  evaluating  the  level  of  risk  PAB  is  prepared  to  take 

•  identifying  ways  to  manage  or  mitigate  the  risk 


A  risk  assessment  would  help  PAB  make  informed  decisions  as  to  the  level  of 
risk  it  is  prepared  to  take  and  then  establish  a  plan  to  manage  that  risk. 


Implications  and  risks  if  recommendation  not  implemented 

Without  a  risk  assessment  of  the  contracts,  the  Public  Affairs  Bureau  may  be 
unaware  of  the  level  of  risk  it  is  taking  on,  which  may  lead  to  financial  loss, 
damage  to  reputation  or  a  disruption  in  communications  to  the  people  of 
Alberta. 


"Tear  sheets"  denotes  a  page  cut  or  torn  from  a  publication  to  prove  to  the  client  that  the  advertisement  was  published. 
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EHR  is  a 
summary  of  an 
individual's  health 
history  and  care 


EHR  consists  of 
many  systems 


Auditing 
concurrently  with 
five  other 
provinces 


1.  Summary 

What  is  an  electronic  health  record? 

Conceptually,  an  electronic  health  record  is  a  summary  of  an  individual's  key 
health  history  and  care.  Ideally,  such  a  record  would  be  available  electronically 
to  authorized  health  care  providers  anywhere  in  Canada,  at  any  time,  and 
accessible  online  from  many  separate  yet  compatible  computer  systems  within 
a  network.  The  terms  electronic  health  record  (EHR)  and  electronic  medical 
record  (EMR)  have  recently  gained  widespread  use,  and  are  often  used 
interchangeably.  Electronic  health  records  allow  health  care  providers  to  view  a 
patient's  medical  history,  including  laboratory  results,  diagnostic  images  and 
prescribed  medication.  An  EMR,  by  contrast,  is  an  electronic  record  maintained 
by  a  physician;  it  may  or  may  not  be  shared  with  other  health  care  providers. 

An  electronic  health  record  is  made  up  of  information  from  a  variety  of  sources 
including  hospitals,  clinics,  pharmacies  and  laboratories  (i.e.,  health  care 
providers).  The  record  contains  several  key  data  elements  that  are  critical  for 
treatment.  This  information  is  collected  through  a  common  system  accessed  by 
health  care  providers  and  stored  in  a  series  of  databases. 

What  we  examined 

We  assessed  whether  the  Department  of  Health  and  Wellness  has  effective 
processes  to  manage  the  implementation  of  electronic  health  record  systems  for 
Albertans.  Physically,  an  electronic  health  record  exists  in  many  systems  that 
reside  in  many  locations  throughout  the  province,  under  the  control  and 
direction  of  multiple  organizations. 

The  scope  of  our  audit  was  limited  to  examining  the  components  of  the  EHR 
systems  that  are  funded  using  taxpayers'  dollars.  Our  audit  did  not  include 
non-government  entities  such  as  clinics,  pharmacies  and  laboratories.  Nor  did 
we  examine  systems  in  hospitals  for  collecting  patient  information.  When  we 
refer  to  the  EHR  systems,  we  are  only  referring  to  systems  within  the  scope  of 
our  audit. 

Concurrent  with  our  audit  of  the  Alberta  EHR  systems,  five  other  provincial 
audit  offices  will  audit  how  electronic  health  records  are  being  implemented  in 
their  respective  jurisdictions.  In  addition,  the  Office  of  the  Auditor  General  of 
Canada  is  auditing  Canada  Health  Infoway's  processes  for  distributing  federal 
funds  to  each  jurisdiction.  The  provincial  audit  offices  will  each  report 
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separately;  the  Office  of  the  Auditor  General  of  Canada  will  issue  a  joint 
summary  report  on  all  of  the  audits  in  2010. 


EHR  systems 
should  be  efficient 
and  cost  effective 


Why  it  is  important  to  Albertans 

Increased  costs  of  health  care,  the  high  level  of  interaction  necessary  between 
health  care  specialists,  and  the  fundamental  principle  of  responsible 
management  of  taxpayers'  money,  make  it  paramount  to  ensure  that  health  care 
is  delivered  in  the  most  cost-effective  way  possible.  An  electronic  health  record 
is  a  means  to  save  money  and  improve  health  care  by  automating  the  collection 
and  retrieval  of  critical  health  care  information. 


An  EHR  should 
be  complete, 
accurate,  available 
and  confidential 


Health  care  in  Alberta  has  traditionally  been  a  paper-based  system.  For 
example,  to  treat  one  patient,  physicians,  nurses  and  physiotherapists  each  may 
create,  and  need  to  access,  separate  records.  For  this  information  to  be  effective 
for  treating  patients,  it  should  be  complete,  accurate,  and  available  when 
needed.  Patient  information  should  also  be  protected  so  that  individuals  do  not 
suffer  as  a  result  of  misuse  of  their  personal  information. 


Other  countries 
already  have 
EHRs 


Many  countries,  including  Canada,  have  looked  at  information  technology  as  a 
solution  for  providing  cost-effective  and  efficient  health  care.  It  is  widely 
believed  that  fully  functional  EHR  systems  will  save  lives  and  reduce  health 
care  costs.  Countries  such  as  New  Zealand,  Denmark,  the  Netherlands,  the 
United  Kingdom  and  Australia  have  adopted  an  electronic  health  record  for 
recording  and  tracking  patient  events. 


No  integrated 
delivery  plan  that 
connects 
initiatives 


What  we  found 
Accountability 

The  Department  does  not  have  a  documented  integrated  delivery  plan  that 
connects  the  detailed  plans  of  each  of  the  many  initiatives  that  make  up  EHR 
systems  to  the  priorities  of  the  strategic  plan.  Communication  of  strategic 
priorities  and  resourcing  decisions  was  not  always  consistent  and  clear. 
Reporting  of  progress  to  decision  makers  was  not  regular  or  complete — as  a 
result,  decision  makers  do  not  always  have  the  information  necessary  to  make 
informed  decisions. 


Governance  of 
EHR  is  by 
committee 


The  Minister  of  Health  and  Wellness  is  responsible  for  health  care  in  Alberta. 
The  Department  of  Health  and  Wellness  has  worked  on  developing  and 
implementing  a  province-wide  EHR  since  1997.  The  governance  of  the  EHR 
systems  has  evolved  through  collaboration  of  the  Department,  Alberta  Health 
Services,  and  various  stakeholders  (physicians,  laboratories,  pharmacies,  etc.). 
The  Department  implemented  a  governance  structure  that  includes 
representation  from  all  participating  organizations.  Governance  of  the  EHR 
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systems  is  by  committee,  with  the  Deputy  Minister  of  Health  and  Wellness 
chairing  the  EHR  Governance  Committee. 

To  ensure  accountability,  all  parties  must  have  a  common  understanding  of  the 
strategic  priorities  and  decisions  regarding  allocation  of  resources.  This 
common  understanding  is  typically  communicated  through  a  series  of  planning 
documents  consisting  of  a  strategic  plan,  an  integrated  delivery  plan,  and 
detailed  project  plans.  In  addition,  to  hold  each  party  accountable  for  their 
actions,  there  should  be  thorough  and  timely  reporting  of  progress  made  on  all 
aspects  of  the  EHR  systems. 


Project 
management 
practices  should 
be  followed 


Information  on 
cost  of  EHR 
systems  not  shared 


No  current 
business  case 
combining  all 
projects 


Project  management 

In  the  current  economic  climate,  where  dollars  are  scarce,  and  the  government's 
priority  is  to  ensure  that  public  money  is  spent  on  viable  and  effective 
programs,  it  is  important  that  appropriate  project  management  practices  be 
followed  which  clarify  the  benefits  and  costs  of  the  significant  investment  in 
EHR  systems. 

As  of  March  31,  2009,  the  Department  estimates  that  it  alone  has  spent 
$615  million  on  building  components  of  the  EHR  systems.  The  Department  has 
cost  information  for  each  project  within  an  initiative.  However,  that  information 
is  not  summarized  and  shared.  The  Department  has  not  calculated  the  total  cost 
for  all  the  EHR  systems  it  funds  (for  example,  the  $615  million  does  not 
include  costs  incurred  by  regional  authorities  on  components  that  are  part  of  the 
EHR  systems).  We  noted  in  our  audit  that  budgets  and  costs  are  managed  at  the 
project  level,  and  not  at  an  overall  EHR  systems  level. 

The  Department  was  not  able  to  provide  us  with  a  combined  business  case  for 
the  EHR  components  it  funds — one  that  compares  the  total  cost  of  the  systems 
(i.e.,  the  sizeable  investment  that  the  Government  will  cumulatively  be  asked  to 
make)  to  the  benefits  (i.e.,  the  anticipated  cost  savings  and  the  improved  quality 
of  health  care  that  will  result  once  the  EHR  systems  have  been  completed).  This 
consolidated  view  should  aggregate  all  of  the  many  projects  that  make  up  an 
electronic  health  record,  and  show  how  changes  or  delays  in  individual  projects 
impact  the  completion  of  the  EHR  systems. 


Shared 

responsibility  for 
protecting  patient 
information 


Security 

The  Department  shares  responsibility  for  protecting  health  care  information 
with  all  other  custodians.1  That  is,  there  is  no  one  organization  that  is 
responsible  for  ensuring  the  protection  of  health  care  information.  Security 
functions,  like  assigning  access  to  Netcare  (a  web-based  portal  that  allows  users 


As  defined  in  Part  1  Section  1(1  )(f)  of  the  Health  Information  Act 
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to  access  patient  information),  monitoring  what  users  are  doing  with  their 
access,  and  auditing  to  detect  unauthorized  access,  are  performed  in  part  by 
each  stakeholder. 

We  expected  the  Department  would  be  reviewing  Netcare  access  proactively 
and  frequently,  but  found  that  monitoring  was  reactive.  We  also  found  that  for  a 
period  of  three  months,  no  review  of  user  access  in  Netcare  had  been 
performed.  Users'  access  in  Netcare  was  not  always  suspended  or  disabled  as 
soon  as  the  user  no  longer  needed  access. 

What  needs  to  be  done 

The  Department  needs  to  improve  its  management  of  the  electronic  health 
records  project  by: 

•  working  jointly  with  Alberta  Health  Services  and  governance  committee 
members  to: 

•  maintain  an  integrated  delivery  plan  that  aligns  with  the  strategic  plan 

•  improve  systems  to  regularly  report  costs,  timelines,  progress  and 
outcomes  (see  recommendation  on  page  73) 

•  executing  publicly  funded  electronic  health  record  projects  and  initiatives 
in  accordance  with  established  project  management  standards  (see 
recommendation  on  page  75) 

•  proactively  monitoring  access  to  the  Netcare  portal  (see  recommendation 
on  page  78) 

•  removing  user  access  to  the  Netcare  portal  when  access  is  no  longer 
needed  (see  recommendation  on  page  80) 

2.  Background 

Canada-wide  initiative 

In  2000,  as  part  of  the  First  Ministers'  Agreement,  Canada's  political  leaders 
identified  development  of  an  electronic  health  record  as  their  top  priority  in 
health  care.  This  commitment  was  subsequently  reinforced  in  the  2003  Accord 
on  Health  Care  Renewal  and  in  the  2004  10-Year  Plan  to  Strengthen  Health 
Care. 

The  Government  of  Canada  established  Canada  Health  Infoway  (Infoway)  in 
September  2000.  Its  mandate  is  to  "accelerate  the  development  and  adoption  of 
modern  systems  of  health  information  and  to  define  and  promote  standards 
governing  the  health  info-structure  to  ensure  [compatibility]."  From  Infoway 's 
inception  to  the  end  of  2006,  the  federal  government  provided  $1.2  billion  in 
funding  for  electronic  health  records,  tele-health  and  public  health  surveillance 
solutions.2 


Canada  Health  Infoway  "Electronic  Health  Records:  Canada's  next  generation  of  health  care  at  a  glance" 
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lnfoway  membership  consists  of  Deputy  Ministers  of  Health  from  all 
14  federal,  provincial  and  territorial  governments.  lnfoway  coordinates  the 
work  of  health  ministries,  regional  authorities,  other  health  care  organizations 
and  information  systems  vendors.  Together,  their  goal  is  to  develop  a 
compatible  network  of  electronic  health  record  solutions  across  Canada- 
linking  hospitals,  clinics,  pharmacies  and  other  points  of  care. 

The  objectives  for  creating  a  Canada-wide  electronic  health  record  are  to  reduce 
wait  times,  increase  patient  participation  in  health  care,  make  management  of 
chronic  diseases  more  efficient,  improve  access  to  health  care  in  remote  and 
rural  communities,  reduce  adverse  drug  interactions,  and  improve  drug 
prescribing  practices. 

The  Department  is  working  with  ministries  from  federal,  provincial  and 
territorial  jurisdictions  to  create  cross-jurisdictional  EHR  systems  that  are 
compatible  with  the  electronic  health  records  of  all  Canadian  jurisdictions. 

Canada  Health  lnfoway,  in  the  document  EHR  2015  Advancing  Canada  s  Next 
Generation  of  Healthcare  on  page  62,'  has  described  the  goal  of  the 
Canada-wide  approach  as: 

1 .  "Ensure  the  EHR  elements  are  built  with  consistent  standards,  thereby 
enabling  future  interoperability  within  and  across  jurisdictions  and 
simplifying  the  movement  of  knowledge  and  people  across  jurisdictions. 

2.  Serve  as  a  catalyst  for  new  infrastructure  developments  and  ensure 
common  platform  quality  across  all  jurisdictions. 

3.  Where  possible,  encourage  cooperation,  thereby  eliminating  redundancy 
and  duplicative  efforts  in  systems  design,  vendor  negotiations,  etc. 

4.  Reduce  long-term  costs  and  implementation  time  by  leveraging  scale  and 
cross-jurisdictional  knowledge." 

The  development  of  EHR  systems  in  Alberta  is  partly  funded  by  the 
Government  of  Canada  through  an  agreement  with  lnfoway.  Each  province  or 
territory  is  entitled  to  receive  funding  from  lnfoway  for  eligible  expenses.  It  is 
the  role  of  the  Department  to  propose  projects  to  lnfoway  for  funding  and  to 
implement  the  projects.  Of  the  estimated  $615  million  that  the  Department  has 
spent  on  EHR  systems,  $61  million  was  reimbursed  by  lnfoway.  Current 
funding  agreements  with  lnfoway  allow  for  an  additional  reimbursement  of  up 
to  $47.6  million. 


3  Canada  Health  lnfoway  "EHR  2015  Advancing  Canada 's  next  generation  of  healthcare"  page  5 
http://www2.infoway-inforoute.ca/Documents/Vision  20 1 5  Advancing_Canadas jiext  generation  _of_healthcare[  1  ].pdt 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


63 


Health  and  Wellness 


Electronic  Health  Records 


Key  activities  in  development  of  EHR  systems  in  Alberta 

Some  of  the  major  activities  that  have  been  central  to  the  development  of  the 
provincial  EHR  systems  to  date  are  listed  in  the  following  table:4 


|  Year 

Event 

1  QQ7 

1  77  / 

Alberta  Wellnet,  the  predecessor  to  the  EHR  systems,  is  formed  to 
develop  and  deliver  province-wide  EHR  initiatives. 

1998 

Alberta  Supernet,  a  province-wide  high  speed  broadband  Internet 
network,  established  to  provide  required  Internet  services  is 
developed. 

1999 

The  Pharmaceutical  Information  Network  (PIN)  was  piloted  and 
deployed  as  the  Seniors  Drug  Profile. 

2001 

The  Physician  Office  Systems  Program  established  to  lead  the 
adoption  of  Electronic  Medical  Records  within  physician  offices 
across  the  province. 

2002 

Premier's  Advisory  Council  recommended  implementing 
province-wide  EHR  systems,  and  PIN  became  the  drug  information 
component  of  the  Alberta  EHR. 

2003 

Alberta  EHR  systems  were  launched  province-wide  and  physicians 
across  the  province  were  able  to  get  connected. 

2004 

Capital  Health  launches  Netcare,  Alberta's  seven  rural  health  regions 
form  RSHIP  (Regional  Shared  Health  Information  Program)  and 
pharmacies  begin  to  send  drug  dispensing  information. 

2005 

The  Premier  announces  that  all  Albertans  would  have  an  electronic 
health  record  by  2008;  Calgary  Health  Region  begins  to  implement  an 
pntprnrisp-wirlp  sinolp  clinical  information  'sVstpm 

Wlll^ipi  Ijv    VV  1UU  .  T  1  I  1      ]  ^_    ^  1  1  1  I  1  \_  H  1    1111  ul  111C1L1  Ull  OJ'oL^'lll. 

2006 

Alberta  Netcare  Portal  2006  deployment  begins;  the  Provincial 
Diagnostic  Imaging  strategy  is  adopted  and  begins  delivery; 
Provincial  Registries  initiatives  are  underway. 

2007 

Legislation  requires  mandatory  submission  of  dispensing  information 
from  pharmacies,  system  to  system  functionality  begins  to  enhance 
the  overall  integration  of  physician  offices  and  pharmacies  with 
electronic  health  records,  the  Provincial  Health  Information  Exchange 
(pHIE)  initiative  begins,  delivering  lab  results  electronically  to 
physician  offices. 

2008 

RSHIP,  which  represented  the  seven  rural  health  regions,  was 
disbanded;  transition  to  a  new  model  based  on  a  North/South  model 
(more  in  line  with  referrals  patterns  across  the  province)  is  underway. 

2009 

The  nine  regional  health  authorities  are  consolidated  into  Alberta 
Health  Services  (AHS). 

4  Alberta  Health  and  Wellness,  Provincial  Health  I M/IT  Strategic  Plan  2008/09-2010/11,  pgs.  13-14 
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Ministry's  strategic  goals 

The  Ministry's  strategic  goals  for  EHR  systems  are  increased: 

•  accessibility  of  health  services 

•  patient  satisfaction  with  health  services 

•  quality  of  care 

•  productivity  of  the  health  system 

EHR  systems  and  repositories 

The  systems  and  repositories  that  make  up  the  EHR  systems  include: 

•  registries — various  systems  that  store  patient,  health  care  provider  and 
health  care  delivery  site  information 

•  repositories — various  systems  that  store  patients '  drug,  laboratory, 
diagnostic  imaging  and  text  report  information 

•  health  information  exchanges — three  systems  that  verify  message  formats 
and  ensure  reliable  delivery  of  information  (Provincial  Health  Information 
Exchange,  Cloverleaf  Regional  Health  Information  Exchange,  Calgary 
Regional  Health  Information  Exchange) 

•  Netcare  portal — system  that  gathers  information  from  various  other 
systems  and  allows  users  to  view  a  patient's  complete  health  record  online 

•  health  care  providers — various  systems  that  store  information  that  health 
care  providers  use,  such  as  wait  times  management,  public  health, 
pharmacy,  radiology,  laboratory  and  physician  information 

•  physical  infrastructure — servers,  networking  devices  and  facilities 

Netcare  portal 

At  the  centre  of  Alberta's  EHR  systems  is  the  Netcare  portal,  a  web  application 
that  brings  information  from  a  number  of  different  sources  into  one  location, 
allowing  users  of  the  portal  to  view  that  information  easily.  Netcare  was  first 
implemented  by  the  former  Capital  Health  Region  to  provide  information  on 
patients  in  the  region.  As  Alberta  developed  EHR  systems,  the  Department 
adapted  Netcare  to  integrate  health  and  demographic  information  on  patients 
from  all  health  regions. 


The  Department  continues  to  develop  the  Netcare  portal.  In  its  current  form, 
Netcare  provides  access  to  the  following  information  submitted  by  providers: 
drug  prescription  information 
laboratory  reports 
diagnostic  images  such  as  x-rays 
limited  text  reports  of  physician  notes 

demographic  information  such  as  a  patient's  health  care  numbers,  address, 
age  and  gender 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


65 


Health  and  Wellness 


Electronic  Health  Records 


EHR  data  is 
combined  from 
many  sources 


An  electronic  health  record  combines  data  from  a  number  of  different  sources 
to  provide  an  integrated  view  of  a  patient's  medical  history  through  Netcare. 
The  Department  often  uses  Netcare  to  refer  to  all  EHR  systems.  For  purposes  of 
this  report,  we  refer  to  the  complex  array  of  interrelated  systems  as  the  EHR 
systems  and  reserve  the  name  Netcare  for  the  portal  through  which  users  gain 
access  to  information  in  the  EHR  systems. 


EHR  systems  are 
managed  by  many 
participants 


Participants  use 
different  systems 
to  provide  EHR 
data 


Main  participants  in  the  EHR  systems 

For  each  of  the  data  components  of  the  EHR  systems,  several  organizations 
within  AHS  may  be  responsible  for  developing  and  managing  the  systems  that 
store  the  data.  For  example,  AHS  maintains  three  patient  registries:  one  registry 
in  Calgary  and  two  in  Edmonton.  Although  AHS  is  responsible  for  all  health 
regions,  each  region  continues  to  operate  independently  in  its  day-to-day 
operations. 

Various  organizations  (physician's  offices,  pharmacies,  labs,  hospitals,  etc.)  use 
disparate  systems  to  provide  information  for  the  electronic  health  record. 
Furthermore,  organizations  that  contribute  information  to  EHR  systems  have  a 
complex  array  of  relationships  with  each  other.  Complex  EHR  systems  require 
clear  leadership  in  the  form  of  direction  on  strategy,  policy  and  standards  from 
a  central  authority.  The  Government  of  Alberta  has  assigned  this  responsibility 
to  the  Department. 


Many  systems  are 
incompatible  with 
each  other 


The  Department  and  AHS  share  primary  accountability  and  oversight  for  the 
outcomes  of  the  EHR  systems,  with  ultimate  accountability  residing  with  the 
Minister.  Given  the  relatively  recent  establishment  of  AHS,  work  is  underway 
to  clearly  articulate  roles  and  responsibilities  toward  eliminating  ambiguity  and 
ensuring  reliable  accountability  and  oversight  for  EHR  planning  and 
implementation. 

Managing  a  complex,  interdependent  EHR  infrastructure  is  a  significant 
challenge.  Alberta's  EHR  systems  have  been  built  component  by  component  as 
they  have  evolved.  They  have  been  built  recognizing  that  the  health  system  is  a 
complex  and  diffuse  operation  with  many  key  players,  and  with  electronic 
systems  that  have  evolved  over  a  number  of  years.  For  example,  legacy 
environments,  such  as  incompatible  electronic  medical  records  in  many 
physicians'  offices  and  incompatible  hospital  clinical  systems  have,  and 
continue  to  require,  costs  of  custom  integration  with  the  EHR. 


Alberta  is  now  focused  on  the  development  of  an  integrated  vision,  plan  and 
roadmap  recognizing  the  challenges  of  the  distributed  model  and  the  benefits  of 
an  integrated  vision  and  plan  detailing  the  combined  strategies,  priorities, 
benefits  and  required  resources. 


66 


Report  of  the  Auditor  General  of  Alberta 


October  2009 


Health  and  Wellness 


Electronic  Health  Records 


Our  audit 
objective 


Our  review  of  the  EHR  systems  focused  primarily  on  information  technology, 
governance,  project  management  and  security  and  privacy  aspects.  We  have 
recommendations  for  improvement  in  each  of  these  areas,  as  described  in  the 
following  sections. 

3.  Audit  objectives  and  scope 

Audit  objectives 

We  conducted  our  audit  to  determine  whether  the  Department  and  AHS  ha\  e 
appropriate  and  effective  mechanisms  in  place  to  guide,  monitor  and  report  on 
the  implementation  of  EHR  systems.  Our  audit  considered: 

1 .  Do  the  Department's  plans  focus  on  developing  consistent  and  compatible 
EHR  systems? 

2.  Is  the  Department  managing  EHR  projects  based  on  a  recognized  project 
management  methodology  and  are  they  achieving  expected  results? 

3.  Does  Department  management  receive  the  information  it  needs  to  make 
decisions  about  implementing  EHR  systems? 

4.  Can  the  Department  demonstrate  that  there  are  appropriate  privacy  and 
security  mechanisms  in  place  to  access  electronic  health  records? 


Our  scope 


Audit  scope 

Our  audit  evaluated  the  projects  funded  by  the  Department  and  partly 
reimbursed  through  funding  agreements  with  Infoway.  These  agreements  set 
out  the  scope  of  work  and  criteria  for  eligibility  of  expenditures  for  projects 
such  as  diagnostic  imaging  repositories  and  Netcare. 

Federal  funding  agreements  do  not  cover  all  EHR  projects.  To  evaluate  if  a 
consistent  project  management  methodology  is  followed  throughout  EHR 
systems,  our  audit  included  projects  funded  entirely  by  the  Department  as  well 
as  projects  funded  by  Infoway. 


We  evaluated 
Netcare  controls 


Netcare 

Alberta's  Netcare  portal  is  a  web-based  gateway  that  allows  health  care 
providers  to  access  an  individual's  health  information.  While  Netcare  is 
currently  maintained  by  AHS,  monitoring  of  access  controls  remains  the 
responsibility  of  the  Department.  Therefore,  we  evaluated  the  Department's  and 
AHS's  processes  for  ensuring  adequate  controls  over  maintenance  and  security 
of  Netcare. 


We  evaluated 
pi  1 1  li  controls 


Provincial  Health  Information  Exchange 

The  Provincial  Health  Information  Exchange  (pHIE)  will  allow  information 
systems  belonging  to  health  care  providers  to  interface  with  EHR  systems. 
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Audit  limited  to 
publicly  funded 
systems 


pHIE  is  maintained  by  AHS — we  evaluated  their  processes  for  ensuring 
adequate  controls  over  its  maintenance  and  security. 

Limits  to  audit  scope 

Each  clinic,  doctor's  office,  hospital  and  other  health  care  provider  can  also 
have  access  to  EHR  systems.  These  entities  are  out  of  scope  for  this  audit. 
However,  we  did  evaluate  the  Department's  processes  for  ensuring  that  each 
health  care  provider  implements  and  maintains  appropriate  access  controls  for 
Netcare. 


Audit  conducted 
in  collaboration 
with  other 
legislative  offices 


Audit  partners 

We  conducted  this  audit  with  other  Legislative  Auditors  across  Canada, 
including  the  Auditor  General  of  Canada.  The  purpose  of  this  collaborative 
effort  is  to  apply  a  consistent  assessment  of  EHR  systems  across  Canada.  The 
results  of  our  audit  will  assist  the  Auditor  General  of  Canada  in  its  audit  of 
Infoway's  systems  for  funding  and  supporting  EHR  systems  across  Canada. 

4.  Conclusions 

We  have  concluded  against  our  four  audit  objectives.  For  further  detail  on  each 
criterion  see  Appendix — page  85. 


Roles  and 
responsibilities 
need  to  be  clearly 
documented  and 
communicated 


An  integrated 
delivery  plan 
needs  to  be 
completed 


Department  needs 
to  demonstrate 
that  it  is  achieving 
expectations 

Department  needs 
to  justify  why 
project  should 
continue 


Objective  1 — Plans  for  EHR  systems 

The  Department  has  a  shared  governance  model  in  place  for  the  EHR  systems. 
While  we  do  not  question  the  use  of  this  model,  our  audit  noted  that  the  roles 
and  responsibilities  for  key  oversight  requirements  need  to  be  clearly 
documented  and  communicated.  The  Department's  primary  focus  is  to  ensure 
compatibility  of  EHR  systems  within  Alberta.  As  well,  Alberta  is  committed  to 
the  pan-Canadian  vision  and  to  ensuring  compatibility  across  Canada. 

The  Department  also  needs  to  prepare  an  integrated  delivery  plan,  for  the 
components  that  it  funds,  that  links  the  priorities  of  each  EHR  initiative  to  the 
objectives  of  the  strategic  plan.  The  integrated  delivery  plan  should  be 
supported  by  detailed  plans  for  each  initiative. 

Objective  2 — Project  management 

The  Department  is  managing  EHR  projects  based  on  a  recognized  project 
management  methodology;  however,  the  Department  cannot  demonstrate  that  it 
is  achieving  expected  results. 

The  Department  needs  to  improve  project  management  processes  by  ensuring 
that  there  is  appropriate  business  justification  to  continue  with  each  project, 
initiative  and  the  EHR  system  as  a  whole. 
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Projects  need  to 
comply  with 
project 
management 
framework 


The  Department  also  needs  to  ensure  that  all  publicly  funded  projects  comply 
with  established  project  management  standards.  Improvements  need  to  be  made 
in  the  areas  of: 

quality  management 
schedule  management 
documentation  and  records  management 
risk  management 
cost  management 


Department  needs 
to  track  and  report 
on  total  costs 


Department  needs 
to  regulary  review 
access  to  Netcare 


Objective  3— Report  of  EHR  systems'  progress 

Key  members  of  the  Alberta  Health  and  Wellness  executive  committee  are 
members  of  the  EHR  Governance  Committee,  and  in  this  management  capacity 
receive  information  to  make  decisions  about  implementing  EHR  systems.  The 
Department  does  not  track  total  costs  incurred  for  EHR  systems,  and  no 
evidence  was  found  that  initiative  level  financial  information  was  regularly 
reported.  Given  the  absence  of  financial  reporting,  the  EHR  Governance 
Committee,  as  the  key  management  body,  is  not  provided  with  the  information 
necessary  to  regularly  monitor  and  assess  costs,  timelines  and  progress. 

Objective  4 — Privacy  and  security 

The  Department  was  not  regularly  reviewing  access  to  Netcare.  User  access  to 
Netcare  was  not  always  disabled  when  employees  no  longer  needed  access. 
EHR  privacy  and  security  issues  are  managed  using  a  federated  model  with 
each  stakeholder  responsible  for  their  own  environment.  The  Department  has 
some  processes  in  place  to  demonstrate  that  privacy  and  security  mechanisms 
have  been  implemented. 

The  following  questions  remain  after  having  completed  our  audit: 

What  is  the  total  cost  of  the  EHR  systems' 

The  Department  has  not  developed  a  comprehensive  business  case  for  the  EHR 
systems.  Because  the  systems  are  continually  changing,  it  is  difficult  to 
determine  the  total  cost  of  the  system  to  date,  or  the  projected  final  cost.  The 
Department  manages  each  project  individually  and  budgets  for  capital  dollars 
on  an  annual  basis.  The  Department  is  able  to  estimate  what  it  has  spent  on  all 
the  projects,  but  does  not  have  information  on  actual  or  estimated  amounts 
spent  by  the  regions  and  other  stakeholders;  therefore,  it  does  not  have 
estimates  or  the  actual  cost  for  the  EHR  system  to  date. 

The  Department  has  no  forecast  of  its  cost  to  complete  the  EHR  system  as 
currently  outlined  in  its  strategic  plan. 
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What  are  the  cost  savings  from  using  electronic  health  records? 
It  is  not  clear  how  the  Department  will  demonstrate  savings  achieved  by  using 
EHRs.  Although  it  is  expected  that  there  will  be  cost  savings  through  better 
treatment,  and  improved  delivery  of  health  care,  and  more  efficient  processes, 
the  Department  does  not  have  a  baseline  to  compare  against.  The  RAND 
Corporation  estimated  that  the  health  care  industry  in  the  United  States  could 
obtain  savings  ranging  from  5%  to  20%.  The  largest  component  of  the  savings 
is  gained  by  improved  efficiencies  in  health  care  delivery. 

The  Association  of  Chartered  Certified  Accountants  in  collaboration  with  the 
European  Commission  Information  Society  Directorate-General  completed  a 
study  of  Denmark's  EHR  implementation.5  The  study  found  that  electronic 
patient  referrals  could  save  the  government  €5.02  per  referral  or  €3.5  million 
annually.  These  savings  were  based  on  calculating  the  cost  differences  between 
processing  referrals  electronically  versus  processing  them  manually.  If  we 
achieve  the  same  efficiencies,  potential  savings  for  Albertans  on  patient 
referrals  only  would  be  about  $1.10  per  capita  or  $3.8  million.  TIME6  also 
reported  that  Denmark's  EHR  system  was  able  to  save  doctors  "an  average 
50  minutes  a  day  of  administrative  work." 

What  are  the  benefits  in  implementing  an  electronic  health  record  system? 
A  study7  conducted  by  the  RAND  Corporation  identified  reduced  medication 
error  and  improved  adverse  drug  event  rates  as  benefits  gained  by  using 
electronic  health  records.  The  study  also  identified  disease  prevention  and 
chronic  disease  management  as  other  benefits. 

The  Department  has  made  progress  developing  key  benefits  evaluation 
components.  For  example,  a  Benefits  Logic  model  (results  chain)  explicitly 
shows  linkages  between  projects  and  outcomes  and  models  them  in  a  rigorous 
manner.  The  Department  also  has  a  guide  and  template  for  providers  to  measure 
and  evaluate  the  benefits  associated  with  a  project/initiative.  However,  at  this 
time  no  benefits  evaluation  has  been  performed. 

What  are  the  key  components  of  the  EHR  systems? 

The  definition  of  an  electronic  health  record  is  that  it  is  a  lifetime  record  of  an 
individual's  key  health  history  and  care.  However,  the  definition  is  not  clear  as 
to  what  comprise  the  key  components  of  this  record.  Should  the  record  consist 


5  The  cost  benefit  of  electronic  patient  referrals  in  Denmark,  Association  of  Chartered  Certified  Accountants, 
http://www.accaglobal.com/pubs/members/publications/sector_booklets/healthcarejiector/benefit_denm 

6  In  Denmark's  Electronic  Health  Records  Program,  a  Lesson  for  the  U.S.,  TIME, 
http: //www.  time,  com/time/health/article/0, 8599, 1 891209, 00.  html 

7  Can  Electronic  Medical  Record  Systems  Transform  Health  Care?  Potential  Health  Benefits,  Savings,  and  Costs  Health 
Affairs,  Volume  24,  Number  5 
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of  all  laboratory  events,  all  hospital  visits,  all  doctor  visits,  all  prescriptions, 
etc?  This  distinction  is  important  because  it  is  difficult  to  determine  when  the 
project  will  be  completed  if  the  system  is  constantly  changing. 

Infoway  defined  five  core  components  of  EHR  systems: 

1 .  registries — provider  registry  and  client  registry 

2.  provincial  health  information  exchange  and  Netcare  portal 

3.  provincial  lab  information  system 

4.  provincial  diagnostic  imaging  system 

5.  pharmaceutical  information  network 

The  Department  includes  these  five  core  components  as  initiatives  in  the 
Provincial  Health  1M/IT  Strategic  Plan  2008/09-2010/1 1 .  However,  the 
Department's  strategic  plan  also  includes  16  additional  initiatives,  such  as 
chronic  disease  management  and  patient  portal,  within  the  EHR  portfolio.  It  is 
not  clear  if  all  these  initiatives  are  key  to  efficient  and  effective  EHR  systems. 

When  will  the  system  be  finished? 

It  is  not  clear  when  the  EHR  systems  will  be  completed.  Alberta  has  made  good 
progress  in  completing  the  core  components  of  its  EHR  systems.  However,  the 
Department's  vision  is  to  add  additional  functionality  that  will  allow 
pharmacists  to  prescribe  online,  allow  users  to  access  their  records  online,  and 
allow  physicians  to  record  all  health  care  events.  The  Department  can  show  us 
when  each  individual  project  will  be  finished,  but  not  when  the  EHR  systems 
will  be  finished.  A  common  understanding  of  which  components  and  usage 
targets  comprise  the  completion  of  each  phase  should  be  clarified. 

Will  Alberta's  EHR  systems  be  compatible  with  other  provincial  and  territorial 
systems? 

Our  audit  confirmed  that  Alberta  is  working  to  comply  with  standards  set  by 
Infoway.  The  intent  of  the  Infoway  standards,  as  described  in  the  Infoway 
Blueprint,  is  to  ensure  EHR  systems  are  being  built  consistently.  However,  it  is 
too  early  to  say  whether  the  systems  in  different  jurisdictions  will  be 
compatible,  as  most  jurisdictions  have  not  completed  their  implementation  of 
EHR  systems. 

AHS  has  stated  that  it  is  their  experience  that  94%  to  98%  of  the  population 
seeks  health  care  within  their  home  province.  Only  2%  to  6%  would  require 
health  care  outside  their  province  of  residence.  It  appears  the  primary  focus  of 
each  jurisdiction  is  to  ensure  compatibility  within  their  jurisdiction.  Ensuring 
compatibility  across  Canada  would  appear  to  be  a  secondary  focus  at  this  stage 
of  development. 
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Will  new  legislation  improve  participation  in  the  EHR  systems? 
In  Alberta,  currently,  physicians  can  voluntarily  adopt  EHR  systems.  Neither 
the  Minister,  nor  the  Department,  at  present,  has  the  authority  to  compel 
physicians  to  participate  or  make  health  information  available  in  the  EHR 
systems.  However,  enactment  of  Bill  52 — Health  Information  Amendment  Act, 
2008,  will  give  the  Minister  the  authority  to  compel  custodians  to  make  health 
information  available  in  EHR  systems.  iHealthBeat  8(a  health  industry  news 
publication)  reported  that  23%  of  physicians  in  Canada  have  adopted  electronic 
health  records.  This  figure  is  much  lower  than  other  countries  with  EHR 
systems  (see  Figure  1 ). 


Percent  of  Participation  by  Physicians 
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Figure  1:  Source  iHealthBeat  (Alberta  added) 

In  2008,  the  Department  stated  that  it  had  implemented  an  electronic  health 
record  system  for  Albertans.  As  of  the  date  of  this  report: 

•  approximately  40%  of  physicians  in  Alberta  have  EMRs,  of  which  70% 
(i.e.,  28%  overall)  have  access  to  EHR  systems 

•  95%  of  radiologists  have  access  to  EHR  systems 

•  76%  of  pharmacists  have  access  to  EHR  systems 

•  lab  technicians  do  not  have  access  to  EHR  systems;  however,  all  lab  results 
are  included  in  the  EHR  lab  repositories 

At  present,  participation  by  all  stakeholders  is  not  mandatory.  As  a  result, 
patient  information  in  the  EHR  systems  is  incomplete. 


1  "U.S.  Lags  Behind  Other  Countries  in  EHR  Adoption,  Report  Says,"  iHealthBeat, 

http://www.ihealthbeat.Org/Articles/2008/7/18/US-Lags-Behind-Other-Countries-in-EHR-Adoption-Report-Says.aspx 
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5.  Recommendations 

5.1  Oversight  and  accountability  for  electronic  health  records  (EHR) 
Recommendation  No.  6 
®=^r         We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta 
Health  Services,  working  with  the  EHR  Governance  Committee,  improve 
the  oversight  of  electronic  health  record  systems  by: 

•  maintaining  an  integrated  delivery  plan  that  aligns  with  the  strategic 
plan 

•  improving  systems  to  regularly  report  costs,  timelines,  progress  and 
outcomes 


EHR 

infrastructure  is 
complex 


Key  component  is 
the  strategic  plan 


An  integrated 
delivery  plan 
should  link 
strategic  plan  to 
project  plans 


Background 

Managing  a  complex,  interdependent  electronic  health  record  infrastructure  is  a 
significant  challenge.  Alberta's  EHR  systems  have  been  built  component  by 
component  as  they  have  evolved.  They  have  been  built  recognizing  that  the 
health  system  is  a  complex  and  diffuse  operation  with  many  key  players  and 
with  electronic  systems  that  have  evolved  over  a  number  of  years. 

A  key  component  of  effective  oversight  is  the  establishment  of  a  strategic  plan 
for  the  EHR  systems  and  the  alignment  of  an  integrated  delivery  plan  to  guide 
the  implementation  of  the  strategic  plan,  supported  by  regularly  updated 
detailed  plans  for  each  EHR  initiative. 

An  integrated  delivery  plan  should  describe  how  the  Department  and  key 
stakeholders  will  implement  and  achieve  the  objectives  and  priorities  within  its 
strategic  plan  through  initiatives  and  projects.  This  plan  should  also  describe 
how  disbursements  will  be  tracked  and  how  risks  and  mitigation  strategies  will 
be  identified  and  managed  to  support  the  strategic  plan. 

Key  elements  of  oversight  also  include  progress  reporting,  monitoring  toward 
ensuring  the  establishment  of  performance  measures  and  realizing  expected 
outcomes  and  benefits. 


Progress  reports 
are  important  for 
monitoring 
projects 


Progress  reports  tell  senior  management  how  the  project  is  progressing,  how 
resources  are  being  used,  how  much  has  been  spent  to  date,  and  whether  the 
project  will  be  completed  on  time.  Progress  reports  also  provide  the  key 
information  upon  which  project  management  can  alter  direction  as  required. 
Progress  reporting  is  needed  at  the  overall  initiative  level  as  well  as  at  the 
individual  project  level. 
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Criteria:  the  standards  we  used  for  our  audit 

The  Department  should 

•  have  an  integrated  delivery  plan  to  guide  implementation  of  the  strategic 
plan 

•  clearly  assign  responsibility  for  progress  reporting  and  monitoring 


No  integrated 
delivery  plan 


Our  audit  findings 
Integrated  delivery  plan 

The  Department  has  a  strategic  plan  that  defines  the  objectives  and  priorities  for 
EHR  systems.  Also,  each  individual  project  that  contributes  to  an  EHR 
initiative  has  a  detailed  project  plan.  However,  the  Department  does  not  have  a 
documented  plan  that  connects  the  objectives  and  priorities  of  the  strategic  plan 
to  the  individual  projects,  or  identifies  dependencies  between  initiatives, 
resources  priorities,  and  risks.  The  Department  relies  on  undocumented 
operational  processes  to  get  the  job  done  and  maintain  overall  progress.  Other 
information  reviewed  during  the  course  of  the  audit  did  not  clearly  demonstrate 
how  the  Department  would  mitigate  overall  EHR  risks  or  allocate  resources  to 
key  priorities. 


Not  clear  how 
projects  contribute 
to  initiatives  and 
entire  EHR 
systems 


A  key  component  that  is  currently  lacking  is  a  clear  outline  of  how  individual 
projects  contribute  to  an  initiative;  and  how  each  initiative  contributes  to  the 
completion  of  EHR  systems.  Each  EHR  initiative  must  complete  a  complex 
body  of  work  to  build  its  piece  of  EHR  systems.  Project  teams  achieve  this  by 
breaking  the  work  down  into  specific  projects  that  are  contracted  out  to 
third-party  vendors.  As  the  work  progresses,  changes  are  often  required  to  the 
contracts  to  reflect  adjustments  to  the  scope  of  work,  time,  cost  or  deliverables. 
These  changes  are  approved  through  an  established  process,  but  the  impact  of 
these  changes  is  difficult  to  see  without  an  integrated  delivery  plan. 


No  regular 
reporting  of  total 
spending  on 
initiatives 


Progress  reporting 

The  Department  has  cost  information  for  each  project  within  an  initiative. 
However,  that  information  is  not  summarized  and  shared.  The  EHR 
Governance  Committee  does  not  receive  information  on  costs  or  regular 
financial  reporting,  and  therefore  are  not  in  a  position  to  monitor  and  assess 
progress.  The  Department  does  not  have  comprehensive  EHR  systems  costing 
in  place — it  does  not  manage  and  fund  all  the  individual  projects  and  is  not  in  a 
position  to  establish  an  overall  perspective  on  costs.  The  Department  should 
track  costs  for  all  publicly  funded  initiatives. 


Specific  reporting  on  progress,  expenditures  and  impacts  is  critical  to  making 
decisions  on  the  ongoing  investments  in  the  EHR. 
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Progress  briefing  does  occur  at  a  high  level  on  targets  of  the  strategic  plan,  and 
only  on  what  the  Department  has  spent  to  date,  and  not  what  others  have  spent. 
Although  stakeholders  regularly  receive  progress  bulletins  on  individual  EHR 
initiatives,  the  bulletins  do  not  compare  actual  with  expected  performance,  and 
do  not  describe  key  decisions  made  or  pending. 

Implications  and  risks  if  recommendation  not  implemented 

The  absence  of  an  integrated  delivery  plan  to  guide  the  implementation  of  the 
strategic  plan  diminishes  the  Department's  ability  to  achieve  its  principal 
objectives,  monitor  performance  and  mitigate  risks  in  an  efficient  and  economic 
manner. 

Without  coordinated  project  and  delivery  plans,  there  is  a  risk  that  not  all  of  the 
work  expected  under  projects  will  be  delivered,  or  that  the  work  that  is 
delivered  will  not  meet  the  business  requirements  of  the  Department,  or  the 
needs  of  users  of  EHR  systems. 

Without  proper  progress  reporting,  management  (EHR  Governance  Committee) 
cannot  exercise  effective  stewardship. 

5.2  Project  management 
Recommendation  No.  7 

We  recommend  the  Department  of  Health  and  Wellness  execute  publicly 
funded  electronic  health  record  projects  and  initiatives  in  accordance  with 
established  project  management  standards. 

Background 

The  Department's  Project  Management  Office  (PMO)  has  developed  a 
framework  based  on  best  practices  to  provide  a  common  approach  for  project 
planning — including  business  cases,  delivery  and  evaluation.  The  framework 
includes  standard  templates,  checklists  and  process  descriptions  designed  to 
ensure  consistency  and  quality  across  projects. 

In  the  Department's  vernacular,  an  initiative  deals  with  the  overall  efforts  to 
accomplish  a  fundamental  component  of  EHR  systems  such  as  diagnostic 
imaging.  An  initiative  can  consist  of  one  or  many  projects.  A  project  consists  of 
all  phases  in  the  system  development  life  cycle  to  deliver  capabilities  in  support 
of  an  initiative. 

Agreements  between  the  Department  and  Infoway  include  funding  schedules 
and  budgets.  Funding  schedules  outline  the  expenditures  that  Infoway  will 
reimburse  to  the  Department.  The  budgets  outline  the  costs  the  Department 


Progress  reporting 
occurs  on  high 
level  targets 


Department  has  an 
established  project 
management 
framework 


An  initiative 
contains  one  or 
many  projects 


Portion  of  EHR 
costs  are 
reimbursed 
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expects  to  incur  in  fulfilling  their  agreement  with  Infoway.  Infoway  generally 
reimburses  75%  of  allowable  expenses.  The  Department  tracks  costs  incurred 
outside  of  the  funding  agreements  with  Infoway  as  part  of  the  Department's 
annual  budgeting  process. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  processes  to  monitor  and  manage  projects  to 
ensure  they  are  progressing  as  planned: 

•  all  projects  and  initiatives  are  supported  by  business  cases 

•  budgets  are  compared  to  total  cost 

•  projects  and  initiatives  comply  with  the  PMO  framework 

Our  audit  findings 

In  our  review  of  projects  within  four  main  initiatives,  we  found  inconsistencies 
in  project  monitoring  and  management.  The  PMO  designed  the  framework  to  be 
tailored  to  the  requirements  of  each  project;  it  is  a  set  of  tools  available  for  use. 
We  saw  aspects  of  the  PMO  framework  in  all  projects,  but  found  that  the 
methodology  outlined  was  not  applied  consistently  as  projects  were  executed. 

Some  of  the  projects  pre-date  the  establishment  of  the  current  framework;  we 
did  see  greater  consistency  in  more  current  projects,  which  demonstrates  that 
the  Department  has  made  progress  in  implementing  its  project  management 
practices.  However,  even  in  current  projects,  adherence  to  the  framework 
beyond  the  bi-weekly  status  reports  was  inconsistent.  The  following 
summarizes  our  key  findings: 


Project 
management 
framework  applied 
inconsistently 


Business  cases 

The  Department  has  not  consistently  produced  business  cases  to  justify  the 
components  of  the  EHR  it  has  developed. 

Incomplete  We  tested  four  initiatives:  one  had  a  complete  business  case,  two  initiatives 

business  cases  w£re  SUpp0rtea<  Dy  incomplete  business  cases,  and  the  Department  did  not 

complete  a  business  case  for  the  fourth  initiative.  The  complete  business  case 
was  the  Feasibility  Study  for  Pharmaceutical  Information  Network  (PIN).  PIN 
was  the  first  initiative  of  the  EHR  and  the  Department  considers  this  the 
original  business  case  for  the  EHR.  The  two  incomplete  business  cases 
discussed  the  impacts  of  proceeding  with  the  projects,  but  did  not  identify  the 
expected  tangible  and  intangible  benefits,  or  consider  whether  the  benefits 
justified  the  costs  to  complete  the  initiative. 
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Business  cases  not 
updated 


The  Department  has  not  completed  regular  updates  of  initiative  business  cases, 
despite  the  fact  the  EHR  initiatives  have  significantly  evolved.  One  business 
case,  written  in  1998,  has  not  been  updated  or  reviewed  since  2001 .  The  other 
two  business  cases,  completed  in  2004,  have  never  been  updated. 


No  budget  for 
total  costs  of  EHR 
systems 


Cost  management 

The  Department  has  budgets  for  individual  projects.  The  Department  does  not, 
however,  have  a  budget  for  the  total  costs  of  the  EHR  components  it  has 
funded.  The  Department  sets  program  budgets  each  fiscal  year,  but  these  EHR 
initiatives  span  several  years  and  sometimes  cross  multiple  program  areas. 
Without  overall  initiative,  budgets  the  Department  cannot  determine  if  the 
expenditures  incurred  over  the  life  of  the  initiative  are  reasonable.  It  also  does 
not  have  a  current  budget  for  the  total  costs  for  each  of  the  four  initiatives  \\  e 
reviewed. 


No  current 
forecast  of  costs  to 
complete  EHR 


The  Department 
does  not  track 
total  costs  of  EHR 


The  Department  does  not  have  a  current  forecast  of  the  total  costs  required  to 
complete  the  EHR  systems  it  currently  has  planned  for  development.  Three  of 
the  four  initiatives  we  reviewed  had  an  initial  budget  estimate  as  part  of  the 
original  business  case,  but  the  Department  has  not  tracked  actual  costs  against 
these  estimates.  The  initial  budget  estimates  have  not  been  updated,  except  for 
one  initiative  that  was  updated  in  2008  in  response  to  a  request  by  Canada 
Health  Infoway.  The  Department  has  not  forecast  the  total  costs  to  complete  the 
components  of  the  EHR  it  is  funding. 

The  Department  does  not  maintain  a  current  schedule  of  total  cumulative  costs 
it  has  incurred  for  EHR  systems  or  for  each  initiative.  We  asked  for  the  total 
costs  incurred  by  the  Department  on  EHR  as  of  March  3 1 ,  2009.  The  most 
current  estimate  available  at  the  time  of  our  request  was  the  figure  provided  to 
the  Public  Accounts  Committee  as  of  March  31,  2008.  The  Department's 
updated  estimate  up  to  March  31,  2009  is  $615  million  (we  did  not  audit  this 
estimate).  The  Department  tracks  costs  incurred  that  are  eligible  for 
reimbursement  by  Infoway,  which  represents  a  portion  of  the  total  initiative 
costs. 


Costs  of  EHR  not 
regularly  reported 
to  Executive 
Committee 


We  found  no  evidence  that  management  reported  financial  information  on 
initiatives  to  the  Department's  executive  committee  regularly.  All  initiatives  use 
bi-weekly  status  reports  to  communicate  the  current  status  of  projects. 
Bi-weekly  status  reports  do  not  include  financial  information. 


No  quality 
management  plans 


Quality  management 

The  Department  could  not  provide  evidence  that  quality  management  plans 
were  developed  for  the  three  of  the  four  initiatives  we  examined. 
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Schedule  management 

Impact  of  schedule  Status  reports  often  showed  schedule  delays  for  extended  periods,  with  no  clear 
delays  not  clear  explanation  of  the  impact  of  the  delay  in  completing  milestones  and 

deliverables;  therefore,  the  consequence  of  delays  in  specific  activities  or 

milestones  was  not  clear. 


Key  documents 
not  centrally 
stored 


Documentation  and  records  management 

There  were  inconsistencies  in  the  level  of  documentation  and  records 
management  across  the  four  initiatives: 

•  For  a  project  conducted  in  2003-05,  many  key  documents  were 
unavailable.  The  Department  indicated  these  had  been  misplaced  due  to 
staff  turnover  and  because  Wellnet  had  originally  managed  the  project. 

•  We  were  unable  to  review  a  grant  agreement  for  a  project  completed  in 
early  2008,  as  the  Department  was  unable  to  locate  the  grant  file. 

•  The  Department  did  not  follow  its  delivery  approval  process  in  three  out  of 
four  initiatives.  In  one  case  there  was  little  or  no  support  for  completed 
deliverables;  in  two  others,  there  was  documented  support  for  the 
completed  deliverables,  but  no  approval  indicating  that  the  deliverables 
were  acceptable. 


Risk  management 

Risk  assessments  There  were  inconsistencies  in  the  implementation  of  risk  management  processes 

not  updated  across  the  initiatives  we  sampled.  Initial  risk  assessments  completed  as  part  of 

funding  requests  were  generally  not  updated  on  an  ongoing  basis  and  did  not 
appear  to  be  a  significant  consideration  for  ongoing  project  management. 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  current  business  case,  there  is  a  risk  that  the  Department  cannot 
define  the  need  for  EHR  systems  and  will  be  unable  to  measure  or  assess  the 
value  it  receives  from  the  project.  Inconsistent  project  management  practices 
means  that  the  Department  cannot  proactively  manage  costs,  risks  and  issues; 
projects  may  not  proceed  on  time;  and  projects  may  fail  to  meet  expectations  or 
support  the  underlying  business  needs  of  the  Department,  or  users  of  EHR 
systems. 

5.3  Monitoring  the  EHR 
Recommendation  No.  8 

We  recommend  the  Department  of  Health  and  Wellness  proactively 
monitor  access  to  the  portal  (Netcare),  through  which  the  electronic  health 
records  can  be  viewed,  reviewing  it  for  potential  attacks,  breaches  and 
system  anomalies. 
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EHR  has  systems 
across  the 
province 


Netcare  has 
22,216  active 
users 


Masking  data  is 
available  but  not 
automatic 


Background 

EHR  systems  span  data  repositories,  networks  and  entry  points  across  the 
province.  Daily  transactions  update  patient  records  with  doctors'  notes  and 
observations,  allow  pharmacists  to  check  for  allergic  reactions  to  drugs  and 
attach  diagnostic  images  to  a  patient's  file.  These  transactions  must  have  a  level 
of  security  and  surveillance  that  reflects  the  Government's  commitment  to  keep 
Albertans'  health  care  information  private  and  secure. 

There  are  22,216  active  Netcare  users  who  have  varying  levels  of  access  to 
EHR  systems.  Access  ranges  from  the  ability  to  look  at  only  patient 
demographic  information,  to  view  all  transcribed  reports,  diagnostic  images, 
laboratory  results  and  prescribed  drugs  for  patients  treated  in  Alberta. 

Data  masking  is  the  process  the  Department  uses  to  prevent  health  information 
from  being  visible  in  Netcare.  This  is  accomplished  by  requiring  users  to 
provide  the  reason(s)  they  need  to  access  the  'masked'  information  before  it  is 
presented  to  them.  The  Department  does  not  automatically  mask  all  health 
information — patients  have  to  submit  a  request  to  the  Department  to  have  their 
data  masked. 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  processes  in  place  to  effectively  monitor  EHR 
systems  for  potential  breaches,  threats  and  attacks,  and  to  collate  this 
information  into  one  central  location. 


No  central 
monitoring  of 
EHR  systems 


Our  audit  findings 

EHR  systems  are  made  up  of  multiple  systems  maintained  and  operated  by 
multiple  organizations  (Department,  AHS,  vendors).  There  is  no  single 
organization  responsible  for  monitoring  the  EHR — each  organization  is 
responsible  for  monitoring  its  own  systems.  The  Department  is,  however, 
responsible  for  reviewing  events  logged  in  Netcare.  The  logs  capture  the  details 
about  what  records  users  access,  who  accessed  the  records  and  when  they  were 
accessed. 


Department 
standards  for 
reviewing  logs  are 
unclear 


It  was  unclear  what  standards  the  Department  was  supposed  to  follow  when 
reviewing  the  access  logs  for  Netcare.  The  Department  drafted  a  standard  in 
2008,  with  direction  from  the  Data  Stewardship  Committee,  but  when  we 
completed  this  audit  it  was  still  pending  approval.  They  also  have  an  audit 
process,  last  updated  in  2007,  which  the  Department  stated  they  were  following. 
The  two  documents  have  similar  requirements  for  reviewing  logs,  but  the  2007 
audit  process  does  not  include  an  audit  requirement  to  review  frequently  failed 
login  attempts,  or  require  that  an  audit  be  carried  out  of  the  unmasking 
decisions. 
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Access  was  not 
reviewed  for  three 
months 


Access  review 
process  is  manual 


Our  testing  revealed  that  for  three  months  in  2009,  the  Department  was  not 
following  either  the  draft  standard  or  the  audit  process — they  did  not  carry  out 
any  review  of  user  access.  The  Department  has  informed  us  that  it  was  not 
reviewing  user  access  because  of  a  problem  with  the  way  the  logs  were  being 
reported.  They  advised  us  that  logs  were  available  in  the  event  that  an 
investigation  was  necessary. 

The  Department  follows  a  manual  process  to  review  user  access.  The 
Department  has  provided  their  analyst  with  high-level  direction  on  what  to  look 
for  when  doing  a  review,  but  the  analyst  relies  mainly  on  professional 
judgment.  Because  it  is  a  manual  process,  the  Department  is  only  able  to 
complete  a  review  of  access  for  a  small  percentage  (less  than  1%)  of  Netcare 
users. 


Department  does 
not  proactively 
review  unmasking 
decisions 


The  Department's  current  practice  is  to  perform  an  audit  of  unmasking 
decisions  only  upon  receipt  of  requests  from  patients.  This  is  contrary  to 
requirements  in  the  draft  audit  standard  which  state  that  auditing  shall  be  done 
monthly.  They  stated  that  as  no  patient  had  submitted  a  request  for  a  review,  no 
audits  had  been  conducted  during  the  past  year. 

Implications  and  risks  if  recommendation  not  implemented 

Without  regular  proactive  and  thorough  reviews  of  Netcare  logs,  the 
Department  is  unlikely  to  detect  unauthorized  access.  This  puts  the 
confidentiality  of  patient  information  at  risk. 

5.4  User  access  management 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  ensure  that  its 
user  access  management  policies  are  followed  and  that  user  access  to  health 
information  is  removed  when  access  privileges  are  no  longer  required. 


Strong  user  access 
management 
necessary  to 
maintain  privacy 


Background 

Good  user  access  management  is  one  of  the  key  components  in  an  effective 
information  security  management  system.  The  main  concept  behind  effective 
user  access  management  is  to  ensure  access  permissions  to  Netcare  are  properly 
assigned  and  authorized,  and  such  permissions  are  removed  when  no  longer 
required,  such  as,  for  example,  when  a  Netcare  user  is  terminated  by  the  health 
organization. 

EHR  systems  contain  sensitive  and  private  patient  medical  information.  Strong 
user  access  management  limits  access  to  EHR  systems  and  Netcare  to  only 
those  users  who  are  required  to  have  access.  Well-designed  and  effective  user 
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access  management  must  be  in  place  to  ensure  compliance  with  Alberta's 
Health  Information  Act,9  and  to  protect  the  privacy  of  patients. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  well-designed  user  access  management  policies 
and  procedures  in  place  for  assigning  and  terminating  user  access  for  EHR 
systems,  and  should  ensure  these  policies  and  procedures  are  complied  with. 

Our  audit  findings 

The  Department  has  policies  in  place  to  provide  Department  affiliates 
(e.g.,  employees,  agents  and  contractors)  with  the  guidance  they  need  to  prevent 
unauthorized  access  to,  and  to  maintain  the  confidentiality,  integrity  and 
availability  of,  health  information.  However,  we  found  that  as  policies  relating 
to  user  access  management  are  not  consistently  followed,  they  are  ineffectrs  e. 

User  access  management  practices  must  cover  all  stages  through  the  life-cycle 
of  user  access — from  the  initial  registration  of  new  users,  to  the  final 
de-registration  of  users  who  no  longer  need  to  access  patient  health  information. 

Of  the  22,216  active  accounts  in  Netcare,  we  identified  158  employees, 
terminated  by  the  three  health  regions,  that  still  had  access  to  Netcare.  We 
confirmed  with  stakeholders  that  these  accounts  belong  to  employees  who  were 
terminated  from  the  organizations  and,  at  that  time,  no  longer  required  access. 

According  to  AHS,  stakeholders  are  responsible  for  notifying  the  Department 
and  AHS  of  employee  departures.  The  failure  to  remove  Netcare  access  for 
terminated  employees  resulted  from  stakeholder  staff  neglecting  to  inform  AHS 
of  employee  departures.  Given  the  high  numbers  of  health  care  staff  in  the 
province  and  the  equally  high  numbers  of  staff  who  move  between  facilities,  it 
is  easy  for  terminated  employees  to  "fall  through  the  cracks"  in  this  largely 
manual  process. 

Our  audit  revealed  that  the  Department  did  not  have  well-designed  and 
documented  user  access  management  policies  and  procedures  in  place  to  review 
user  access  privileges  within  Netcare.  The  Department  indicated  that,  with  the 
large  number  of  stakeholders  involved,  reviewing  all  Netcare  accounts 
manually  is  not  practical  as  it  would  take  a  significant  amount  of  time  to 
perform. 


t(  RSA  2000,  c.  H-5:  section  60(  1 )  A  custodian  must  take  reasonable  steps  in  accordance  with  the  regulations  to  maintain 
administrative,  technical  and  physical  safeguards  that  will  ...  (c)  protect  against  any  reasonably  anticipated  ...  ii)  unauthorized 
use,  disclosure  or  modification  of  the  health  information  or  unauthorized  access  to  the  health  information. 
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Auto-disable  The  Department  realizes  that  problems  in  the  existing  user  access  management 

script  has  bug  process  can  result  in  failure  to  disable  Netcare  accounts  belonging  to  terminated 

staff.  To  reduce  the  risk,  they  implemented  a  control  to  automatically  disable 
Netcare  user  accounts  after  a  period  of  inactivity.  However,  if  a  Netcare  account 
is  compromised  and  is  used  to  log  into  the  systems  during  that  period,  it  will 
never  be  flagged  by  the  auto-disable  script  and  will  remain  active.  Moreover, 
our  analysis  found  a  "bug"  in  the  script  that  prevented  the  disabling  of  certain 
types  of  inactive  accounts.  The  Department  has  acknowledged  this  issue  and 
has  indicated  they  corrected  the  ""bug.'1 


Implications  and  risks  if  recommendation  not  implemented 

Confidentiality  of  Without  a  well-designed  and  effective  user  access  management  process  in  place 

for  Netcare,  the  Department  cannot  ensure  that  patients'  health  information 
within  the  systems  will  remain  private  and  secure. 


health  information 
may  be  at  risk 
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6.  Glossary 


AHS 
AHW 

CHA 

CHI 

CHR 

EHR 
EMR 


HIA 

Initiatives 

Integrated 
Delivery  Plan 

Netcare 

OIPC 

pHIE 

PIA 


Alberta  Health  Sen  ices 

Alberta  Health  and  Wellness— the  Department  of  Health  and  Wellness  and  the 
overall  provider  of  Alberta's  electronic  health  record 

C  apital  Health  Authority— the  Edmonton  regional  health  board  now  part  of  the 
Alberta  Health  Services  "super  board" 

Canada  Health  Infoway 

Calgary  Health  Region— the  Calgary  regional  health  board  now  part  of  the 
Alberta  Health  Sen  ices  "super  board" 

Electronic  Health  Records — records  of  key  health  history  and  care  in  electronic 
form 

An  Electronic  Medical  Record  is  a  computerized  legal  medical  record  created 
in  an  organization  that  delivers  care,  such  as  a  hospital  or  doctor's  office. 
Electronic  medical  records  are  a  part  of  a  local  stand-alone  health  information 
system  that  allows  storage,  retrieval  and  manipulation  of  records 


10 


Health  Information  Act 

A  structure  of  actions  and  interrelated  projects  managed  in  a  coordinated  w  ay, 
required  to  implement  strategy  and  achieve  business  objectives  or  outcomes 

An  integrated  delivery  plan  describes  how  the  Department  w  ill  implement  and 
achieve  the  objectives  and  priorities  within  its  strategic  plan 

Web-based  portal  that  provides  access  to  patients'  health  information 

Office  of  the  Information  and  Privacy  Commissioner 

Provincial  Health  Information  Exchange 

Privacy  Impact  Assessment 


RSA  2000,  c.H-5 
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Project  A  temporary  endeavour  undertaken  to  create  a  unique  product,  service  or  result 

(PMI).  A  project  consists  of  all  phases  in  the  system/application  development 
lifecycle  (SDLC)  to  deliver  capabilities  in  support  of  an  initiative  objective  or 
outcome. 


Repositories  Systems  that  contain  patient's  drug,  laboratory,  diagnostic  imaging  and  text 

report  information 

Stakeholders  Organizations  that  have  a  direct  or  indirect  stake  in  electronic  health  record 

systems  such  as 

•  Ministry  of  Health  and  Wellness 

•  Alberta  Health  Services  (former  RHAs  and  Health  Boards) 

•  Alberta  Medical  Association 

•  Colleges — such  as  the  College  of  Physicians  and  Surgeons  of  Alberta, 
Alberta  College  of  Pharmacists,  etc. 

•  Alberta  Pharmacists'  Association 

•  Pharmacy  Chains  (such  as  Shoppers'  Drug  Mart,  Walmart,  etc.) 

•  Office  of  the  Information  and  Privacy  Commissioner 

•  Primary  Care  Networks 

•  Community  Providers  (MDs,  Labs,  DI) 
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Electronic  Health  Records — Appendix 

The  following  four  criteria  were  used  to  assess  Alberta's  electronic  health  records 
systems.  Criteria  I,  2  and  3  were  used  by  legislative  offices  that  participated  in  the 
collaborative  audit. 


1 .   Do  the  Department's  plans  focus  on  developing  consistent  and  compatible  EI  1R 
systems? 


Audit  Criteria 

Met 

Not  Met 

The  Department  should  have  the  following  in  place: 

•      an  established  framework  for  strategic  planning 

•      a  current  and  comprehensive  strategic  plan  for  EHR  systems 

•      project-specific  and  master  funding  agreement(s)  with  Infoway 

for  developing  compatible  EHR  systems 

•      a  delivery  plan  to  guide  implementation  of  the  strategic  plan 

Is  the  Department  managing  EHR  projects  based  on  a  recognized  project 
manasement  methodology  and  are  thev  achieving  exnected  results9 


Audit  Criteria 

Met 

Not  Met 

The  Department  should  have  the  following  in  place: 

•  detailed  project  plans  for  all  projects 

•  Department  approval  for  all  project  plans 

•  monitoring  processes  to  ensure  projects  are  progressing  as 
planned 

.   Does  Department  management  receive  the  information  it  needs  to  make 
decisions  about  implementing  EHR  systems? 

Audit  Criteria 

Met 

Not  Met 

The  Department  should  have  the  following  in  place: 

•  Management  and  funding  agencies  should  receive  the 
information  necessary  to  monitor  and  assess  progress,  and  make 
decisions  related  to  implementation  of  an  electronic  health 
record. 

•  The  Department  should  demonstrate  the  extent  to  which  the 
objectives  and  outcomes  have  been  achieved  and  benefits  are 
realized. 

•  The  Department  should  report  on  its  progress  in  achieving  its 
goals  to  key  stakeholders. 

•  The  Department  should  identify  performance  indicators  to 
measure  progress  in  achieving  its  goal(s)  and  strategies  for  each 
project. 
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4.  Can  the  Department  demonstrate  that  all  partners  within  EHR  systems  have 
implemented  privacy  and  security  mechanisms? 


udit  Criteria 


The  Department  should  have  the  following  in  place: 

•  Policies  and  procedures  should  be  consistent  with  legislation 
and  the  intent  of  the  Infoway  security  blueprint. 

•  The  Department  has  documented  and  effective  control 
processes  for  requesting,  establishing,  issuing,  suspending  and 
promptly  closing  all  user  account  access  to  EHR  systems.  The 
Department  ensures  that  access  is  limited  to  what  a  user  needs 
to  do  their  job.  The  Department  proactively  monitors  the 
access. 

•  The  Department  has  documented  and  effective  change 
management  procedures  to  assess  and  implement  all  requests 
for  changes  to  the  EHR  in  a  structured  way.  The  Department 
ensures  that  all  change  requests  are  standardized 

•  The  Department  should  have  processes  to  ensure  that  all 
changes  to  data  in  information  registries  and  repositories  are 
authorized,  documented  and  tested.  The  Department  ensures 
that  a  back  out  plan  is  developed  for  all  significant  changes. 

•  The  Department  should  have  processes  to  ensure  that  all 
transmissions  are  encrypted  from  end  to  end  and  all 
transmissions  are  tracked  for  completion. 

•  The  Department  should  have  processes  to  ensure  that  all 
transactions  follow  established  health  industry  standards  for  the 
transmission  of  data  between  EHR  systems. 

•  The  Department  has  a  documented  IT  Continuity  or  Disaster 
Recovery  Plan  (DRP)  designed  to  reduce  the  impact  of  a  major 
disruption  on  key  business  functions  and  processes.  The  DRP 
supports  the  organization's  overall  BCP.  


Met 

Not  Met 

H 

■ 

B 

B 

H 

B 

B 

B 

B 
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Food  Safety — Follow-up 


Food  safet) 
operates  in  a 
complex  multi- 
jurisdictional 
em  ironment 


Follow-up  on  ten 
recommendations 
from  2006  Report: 
five  repeated, 
satisfactory 
progress  on  three, 
two  implemented 


Slow  progress  in 
Health  and  AHS 


Summary 

In  2006,  we  reported  on  the  Government  of  Alberta's  systems  to  promote  safe 
food.  Our  audit  examined  the  systems  used  by  the  Departments  of  Agriculture 
and  Rural  Development  (Agriculture)  and  Health  and  Wellness  (Health),  plus 
the  nine  regional  health  authorities  that  are  now  part  of  Alberta  Health  Sen  ices 
(AHS).1  These  entities  share  responsibility  for  food  safety  in  Alberta  along  with 
the  federal  government.  These  entities  operate  within  a  complex  regulatory 
environment  because,  in  Canada,  government  responsibility  to  promote  and 
enforce  food  safety  is  multi-jurisdictional.  Federal  provincial/territorial 
committees  develop  national  food  safety  policies. 

Within  Alberta,  both  federal  and  provincial  regulators  exercise  their  mandates 
as  described  in  a  variety  of  statutes.  For  example,  the  Canadian  Food  Inspection 
Agency,  a  federal  entity,  regulates  most  of  Alberta's  primary  beef  processing. 
Amongst  the  provincial  regulators,  Agriculture  regulates  the  remaining  aspects 
of  primary  agricultural  production  and  processing.  Health  sets  legislation  and 
policy  under  the  Public  Health  Act2  (the  Act).  AHS  regulates  food  processors 
and  retailers  (including  restaurants)  by  authority  of  the  Act.  Within  this  multi- 
jurisdictional  environment,  the  entities  understand  that  coordinated  effort  needs 
to  be  an  objective. 

In  our  2005-2006  Annual  Report  (beginning  on  page  63),  we  made  ten 
recommendations  to  improve  these  entities'  systems.  The  government 
committed  to  implementing  all  ten  recommendations.  In  the  spring  of  2009.  we 
followed  up  to  determine  their  progress  in  implementing  our  recommendations. 
As  a  result,  we  now  repeat  five  recommendations.  Of  the  remaining  five 
original  recommendations,  management  has  made  satisfactory  progress  on  three 
and  fully  implemented  two.  Overall,  we  conclude  that  progress  has  been 
disappointingly  slow  given  the  importance  of  food  safety  and  the  gov  ernment's 
commitment  to  improve  its  systems. 

Progress  has  been  particularly  slow  in  the  Health  sector.  Food  safety  is  a 
component  of  environmental  public  health  w  hich  represents  a  miniscule 
proportion  of  spending  for  Health  and  AHS.  In  2007,  Health  and  AHS  began  a 
process  to  address  our  recommendations.  This  promising  start  lost  momentum 


1  On  May  15,  2008,  the  Alberta  Health  Services  Board  replaced  the  nine  regional  health  authority  boards,  the  Alberta  Menta 
Health  Board.  Alberta  Alcohol  and  Drug  Abuse  Commission  and  Alberta  Cancer  Board.  AHS  is  now  responsible  for  health 
service  delivery  in  Alberta. 
:  RSA  2000,  c.P-37 
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where 
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required 


after  a  year.  While  food  safety  has  not  deteriorated  in  the  province  over  the  last 
three  years,  the  opportunity  to  improve  the  system  has  been  delayed. 

For  Agriculture,  food  safety  is  a  primary  goal.  Agriculture  has  made 
satisfactory  progress  on  the  three  recommendations  we  made  specifically  to  it. 

Some  food  safety  issues  require  coordinated  action.  For  those  issues,  regulators 
believe  that  strategic  elements  such  as  approved  policies  and  clarity  of  roles  and 
responsibilities  would  assist  in  making  the  required  improvements  in 
operations.  While  Health,  Agriculture  and  AHS  have  moved  forward  on  some 
of  the  required  strategies,  they  have  made  little  progress  resolving  the  food 
safety  issues  we  identified  in  our  original  report.  Those  include  enhancing 
information  systems,  coordinating  programs,  eliminating  gaps  in  regulatory 
coverage,  and  improving  accountability  for  results. 


Food-borne 
outbreaks  in 
Alberta 


Why  food  safety  is  important  to  Albertans 

In  our  original  report,  we  mentioned  that  Health  had  identified  289  enteric 
outbreaks3  in  2004;  23  of  these  were  associated  with  food  establishments  such 
as  restaurants.  In  2008,  the  equivalent  figures  were  397  and  17,  so  a  significant 
risk  continues  to  exist.  For  some  individuals  who  have  fallen  ill  from 
food-borne  illness,  the  effects  may  last  a  lifetime. 


Cost  of 

food-borne  illness 


Society  pays  an  ongoing  economic  price  for  food-borne  illnesses.  In  our 
2005-2006  Annual  Report,  we  reported  its  costs  to  the  health  care  system 
which  one  study  estimated  at  $2.4  million  annually  per  100,000  population.  On 
top  of  health  care  costs,  lost  productivity  costs  an  estimated  $8  million  annually 
per  1 00,000  population  in  Canada.4  Food-borne  outbreaks  affect  the  food 
industry  in  two  ways.  First,  contaminated  food  must  be  recalled  and  destroyed. 
Second,  food  safety  issues  in  Alberta  could  affect  agricultural  exports  and 
industry  development. 


Regular 

inspections 

expected 


Albertans  expect  that  facilities  where  food  is  prepared  are  regularly  inspected 
and  any  deficiencies  corrected.  In  particular,  regulators  should  identify  and 
correct  known  or  suspected  food  safety  risks  promptly.  Transparency  and 
accountability  in  the  food  safety  system  are  important  so  that  legislators  and 
citizens  have  information  about  food  safety  and  can  make  informed  decisions. 


3  Enteric  means  "occurring  in  the  intestines"  (Canadian  Oxford  Dictionary).  Not  all  enteric  diseases  are  food-borne;  the 
majority  are  related  to  norovirus  which  is  not  typically  food-borne.  While  public  health  personnel  investigate  all  Alberta 
outbreaks,  not  all  outbreaks  are  traced  to  a  source. 

4  The  Journal  of  Food  Protection,  "The  Burden  and  Cost  of  Gastrointestinal  Illness  in  a  Canadian  Community" 
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What  we  found  in  this  foliow-up  audit 
Repeated  recommendations 

We  again  recommend  that  AHS  follow  generally  accepted  and  consistent 
inspection  processes  across  the  province.  AHS  has  made  progress  on  building  a 
foundation  for  improved  practices.  For  example,  it  now  classifies  risks  and  sets 
frequency  targets  on  the  same  basis  across  Alberta.  However,  inspection 
frequency  has  improved  only  marginally.  In  2008,  AHS  completed  64%  of  its 
routine  inspections  across  the  province  as  compared  to  56%  in  2004.  Inspection 
frequencies  and  enforcement  actions  vary  significantly  between  the  regions. 
Inspection  documentation  is  still  inconsistent  between  health  regions.  Often 
inspectors  do  not  follow  up  critical  violations  at  food  establishments.  See 
section  4.1  for  details. 


Coordination  can 
improve 


Gaps  in  coverage 
still  exist 


Integrated 

accountability 

unchanged 


We  previously  made  three  recommendations  that  applied  jointly  to  Health, 
Agriculture  and  AHS.  All  three  are  repeated  here.  First,  we  again  recommend 
that  the  three  entities,  in  cooperation  with  federal  regulators,  improve  food 
safety  planning  and  cooperation  in  Alberta.  The  departments  have  made 
progress  in  defining  their  food  safety  policies  and  aligning  them  with  federal 
food  safety  policies.  However,  coordination  of  operations  can  improve.  The 
major  mechanism  for  coordination  in  2006  was  the  Canada-Alberta  Partners  in 
Food  Safety  (CAPiFS).  The  partners  are  refocusing  the  work  of  CAPiFS  and 
now  have  the  opportunity  to  effectively  share  and  coordinate  information  on 
food  safety  in  Alberta.  See  section  4.8  for  details. 

Second,  we  again  recommend  that  gaps  in  food  safety  coverage  be  eliminated. 
The  gaps  in  regulatory  coverage  that  we  reported  in  2006  continue  to  exist 
today.  For  example,  many  mobile  butchers'  premises  do  not  meet  acceptable 
standards  of  food  handling  and  overall  cleanliness.  A  small  percentage  of  meat 
facilities  do  not  meet  Alberta 's  Meat  Facility-  Standard  yet  continue  to  operate 
despite  histories  of  non-compliance.  Regulators  are  just  beginning  to  inventory 
the  facilities  in  Alberta  that  are  not  registered  federally.  Food  facilities  in  these 
categories  may  not  be  routinely  inspected  and  may  therefore  be  a  higher  food 
safety  risk.  See  section  4.9  for  details. 

Third,  we  again  recommend  that  Health  and  Agriculture  develop  performance 
measures  and  integrate  their  accountability  for  food  safety.  The  two 
departments  should  be  able  to  demonstrate  that  their  food  safety  system  protects 
Albertans.  Health  and  Agriculture  have  started  to  address  the  issue  by  drafting 
policy  statements.  However,  central  monitoring  and  reporting  of  results  is 
basically  unchanged  from  2006.  See  section  4.10  for  details. 
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We  again  recommend  that  AHS,  supported  by  Health,  improve  its  food  safety 
information  systems.  The  nine  former  health  regions  still  use  the  same 
information  systems  that  we  audited  in  2006.  Issues  of  data  access  and  security 
have  not  been  addressed.  Health  has  not  defined  standard  data  elements  or 
measures  and  does  not  collect  any  more  food  safety  or  environmental  health 
data  than  it  did  in  2006.  A  common  and  consistent  information  system  will 
support  our  earlier  recommendation  about  accountability.  See  section  4.3  for 
details. 


Results  of 
restaurant 
inspections  now 
available 


Recommendations  with  satisfactory  progress 

AHS  and  Health  have  made  satisfactory  progress  implementing  a  wider  range 
of  enforcement  and  promotion  tools.  In  particular,  AHS  has  made  restaurant 
inspections  publicly  available  through  the  regions'  websites  as  of  July  2008.  To 
fully  implement  this  recommendation,  the  entities  need  to  continue  their 
roll-out  of  innovative  solutions  such  as  disclosing  inspection  results  for  all  food 
establishments,  not  just  restaurants.  See  section  4.2  for  details. 


New  system  to 
manage 
surveillance 
projects 


Agriculture  has  made  satisfactory  progress  in  improving  the  management  of  its 
surveillance  projects.  Agriculture  has  designed  and  implemented  a  new  system 
to  plan,  select  and  manage  its  surveillance  program.  Agriculture  still  needs  to 
involve  stakeholders  in  setting  priorities  and  planning  its  surveillance  projects. 
Agriculture  should  also  improve  cost  tracking  for  its  projects.  See  section  4.5 
for  details. 


Agriculture  has  made  satisfactory  progress  improving  its  food  safety 
information  systems.  It  has  improved  access  and  security  controls  for  its 
smaller  applications  and  corrected  data  consistency  and  completeness  issues  we 
identified  in  2006.  The  Department's  food  safety  information  systems  could 
still  capture  more  types  of  data  and  Agriculture  should  classify  and  protect  all 
data  types  based  on  risk  and  sensitivity.  See  section  4.7  for  details. 

2.   Audit  objectives  and  scope 
2.1  Our  audit  objectives 

Our  objective  was  to  determine  if  Agriculture,  Health  and  AHS  have 
implemented  the  ten  food  safety  recommendations  from  our  2005-2006  Annual 
Report.  We  assessed  whether  management's  actions  to  address  our 
recommendations  were  adequate  against  the  same  audit  criteria  we  used  in 
2006. 


Agriculture's 
information 
systems  have 
improved 


90 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


Health  and  Wellness 


Food  Safety — Follow-up 


2.2  Our  scope 

In  performing  this  follow-up  audit  we: 
What  we  did  •     visited  five  of  the  nine  health  regions  and  surveyed  the  remaining  four 

•  accompanied  a  meat  inspector  at  a  slaughter  facility  and  public  health 
inspectors  on  21  food  establishment  inspections 

•  reviewed  1 10  food  establishment  inspection  files  at  AHS  health  regions 
and  102  inspection  files  covering  meat  and  dairy  producers  at  Agriculture's 
Regulatory  Service  Division 

•  examined  16  project  files  in  Agriculture's  surveillance  project  management 
system 

•  interviewed  management  and  staff  from  all  three  entities 

We  do  not  have  the  authority  to  audit  the  federal  entities""  that  regulate  aspects 
of  food  safety  in  Alberta,  nor  did  we  contact  these  entities  during  our  follow-up 
audit.  When  we  quote  annual  statistics,  they  relate  to  the  2008  calendar  year 
unless  otherwise  indicated. 


Overview  of  food 
safety  in  original 
Report 


Health 

organizational 
changes 


Background 

Our  2005-2006  Annual  Report  gave  an  overview  of  food  safety  in  Alberta. 
Readers  can  review  this  material  online.6  The  overview  begins  on  page  66  of 
volume  1  of  our  2005-2006  Annual  Report  and  discusses: 

•  the  importance  of  food  safety 

•  the  regulators  of  food  safety  in  Alberta,  including  the  Canadian  Food 
Inspection  Agency  (CFIA)  and  the  provincial  food  safety  regulators 

•  mechanisms  to  coordinate  food  safety  initiatives  internationally,  nationally 
and  provincially 

To  follow  up  our  2006  recommendations,  we  dealt  with  the  Environmental 
Public  Health  Team  at  Health.  Since  our  2005-2006  Annual  Report,  the 
department  moved  this  team  into  the  Surveillance  and  Environmental  Health 
group  within  the  Public  Health  Division  (formerly  the  Population  Health 
Division). 


Few  changes  in 
program  delivery 
at  AHS 


While  AHS  began  in  2008,  environmental  public  health  programs  continue  to 
be  delivered  under  the  same  nine-region  format  that  existed  in  2006.  Until  the 
end  of  our  field  audit  work  in  June  2009,  there  were  still  nine  directors  running 
nine  programs  across  the  province.  The  number  of  public  health  inspectors 
working  on  food  safety,  about  1 10,  has  remained  constant  since  our  last  audit. 


5  The  federal  entities  include  Health  Canada,  its  First  Nation  and  Inuit  Health  Branch,  and  the  Canadian  Food  Inspection 
Agency  (CFIA). 

6  http://www.oag.ab.ca/f1les/oag/ar2005-06volumel  .pdf 
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Food  Safety 
Working  Group 
addressed  2006 
recommendations 


To  address  our  food  safety  recommendations,  Health  and  the  nine  health 
regions  formed  the  Food  Safety  Working  Group.  The  Group  summarized  its 
own  recommendations  in  a  report  titled  A  Unified  Response  to  the 
Recommendations  made  by  the  Office  of  the  Auditor  General  of  Alberta 
Respecting  Food  Safety  in  Alberta  (2005-2006)  and  to  the  Issue  of  Public 
Disclosure  from  the  Food  Safety  Working  Group.  The  Food  Safety  Working 
Group  made  1 1  recommendations  that  have  not  been  formally  approved  by  its 
member  organizations.  Health  and  AHS  follow  its  guidance  to  advance  their 
food  safety  initiatives. 


Agriculture 

organizational 

changes 

Food  safety 
continuum,  "from 
farm  to  fork" 


Multi- 

jurisdictional 
regulation 


In  2006,  Agriculture  reorganized  to  bring  all  inspection  and  investigation 
services  under  the  Regulatory  Services  Division.  Otherwise,  Agriculture's 
organization  remains  as  described  in  our  earlier  report. 
The  food  safety  continuum  refers  to  the  processes  that  ensure  safe  food  for 
consumers;  "from  farm  to  fork'1  is  one  saying  that  summarizes  the  continuum. 
Primary  production  takes  place  on  a  farm,  ranch  or  feedlot,  raising  animals  or 
growing  a  crop.  Primary  processing  takes  a  raw  product  and  begins  to  process 
it;  for  instance,  beef  are  slaughtered  or  vegetables  are  cleaned  and  graded. 
Secondary  processing  further  refines  the  product,  perhaps  to  turn  it  into 
ready-to-eat  or  frozen  items  that  are  marketed  in  stores.  Tertiary  processing 
takes  place  just  before  a  consumer  eats  it;  restaurants  are  most  numerous  in  this 
category,  but  there  are  other  food  preparation  environments  such  as  supportive 
living  homes,  school  lunch  rooms  and  work  camps.  There  are  also  support 
processes  in  the  continuum  such  as  the  transportation  and  storage  of  food.  Each 
process  along  the  continuum  poses  food  safety  issues. 

The  goal  of  food  safety  regulation  is  to  identify  risky  scenarios  and  mitigate 
those  risks.  In  Canada,  food  safety  regulation  is  multi-jurisdictional.  For 
example,  the  Canadian  Food  Inspection  Agency  regulates  most  of  Alberta's 
primary  beef  processing,  because  most  of  Alberta's  beef  goes  to  national  and 
international  purchasers.  Federal  regulators  also  have  responsibility  for  primary 
and  secondary  production  whose  products  exit  Alberta's  borders. 


Alberta's 

jurisdictional 

regulation 


Alberta  Agriculture  promotes  food  safety  in  primary  production  through  its 
Alberta  HACCP  Advantage  and  surveillance  programs.  Agriculture  also  has 
regulatory  jurisdiction  when  the  product  stays  in  the  province.  This  applies  to 
milk,  eggs  and  some  animal  slaughter.  AHS's  public  health  inspectors  regulate 
most  of  Alberta's  tertiary  processing.  There  is  an  equivalent  inspection  role  on 
First  Nations'  reserves  by  federal  public  health  inspectors  within  Health 
Canada. 
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4.    Our  audit  findings 

4.1  Food  establishment  inspection  programs — recommendation  repeated 
We  are  repeating  portions  of  this  recommendation  first  made  as  Key 
Recommendation  No.  6  in  our  2005 2006  Annua/  Report  (vol.  I    page  76). 
While  AHS  management  has  implemented  solutions  to  some  elements  of  our 
original  recommendation,  the  following  critical  actions  still  need  to  be 
addressed. 

Recommendation  No.  9 — repeated 

We  again  recommend  that  Alberta  Health  Services  improve  their  food 
establishment  inspection  programs.  Specifically,  AHS  should: 

•  inspect  food  establishments  following  generally  accepted  inspection 
frequency  standards 

•  ensure  that  inspections  are  consistently  administered  and  documented 

•  follow  up  critical  violations  promptly  to  ensure  that  food 
establishments  have  corrected  those  violations 

Background 

Public  health  practitioners  rely  on  food  establishment  inspections  to  protect 
human  health.  Routine  inspections  occur  at  frequency  levels  as  described  in  the 
Blue  Book.1  The  Blue  Book  calls  for  an  annual  stratification  of  food 
establishments  into  three  risk  categories  or  classes. 

Risk  classes  are  based  on  the  amount  of  handling  and  preparation  food 
undergoes  before  it  is  consumed.  Risk  class  1  establishments  sell  prepackaged, 
ready-to-eat  food  and  therefore  have  the  lowest  risk.  Risk  class  2  establishments 
(for  example,  many  fast  food  outlets)  have  some  food  preparation  but  do  not 
use  raw  products.  Full  service  restaurants  in  which  raw  food  is  stored  and 
prepared  fresh  are  risk  class  3.  Seasonal  operations  such  as  summer  camps  and 
booths  at  special  events  require  at  least  one  inspection  per  open  period. 
Additional  inspections  occur  to  ensure  correction  of  violations,  investigate 
food-borne  illnesses  and  outbreaks,  investigate  complaints,  or  act  on  a  food 
recall. 


Risk  classes  and 
inspection 
requirements 


The  environmental  health  directors  in  the  health  regions  developed  the  booklet  titled  A  Common  Reference  System  and 
Operational  Standards  for  Alberta  Regional  Health  Authority  Environmental  Health  Programs — October  2001 ,  commonly 
called  the  Blue  Book.  The  Blue  Book  defines  vision,  mission,  scope,  principles  and  values  for  environmental  health  programs. 
It  then  breaks  environmental  health  into  seven  functional  program  areas,  one  of  which  is  food  safety.  Every  health  region 
uses  the  seven  functional  program  areas  from  the  Blue  Book  to  organize  its  work. 
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Criteria:  the  standards  we  used  for  our  audit 

The  systems  that  support  program  delivery  should  be  well  designed,  controlled, 
and  operated.  Standards  for  program  delivery  should  be  defined.  Each  entity 
should  have  adequate  manpower,  including  training  and  continuing  professional 
education. 

Food  safety  programs  should  be  consistent  across  the  province  (not  necessarily 
the  same,  but  of  equivalent  effectiveness).  Throughout  the  province,  those  being 
regulated  should  receive  equivalent  treatment.  Managers  should  monitor 
operational  results  on  a  timely  basis.  The  extent  and  timeliness  of  program 
delivery  should  be  maintained.  Appropriate  actions  should  be  taken  at  each 
entity,  based  on  program  results. 


Inspections  follow 
common  standards 


Our  audit  findings 

Risk  assessment 

At  the  time  of  our  field  work,  AHS  had  almost  completed  the  conversion  of  all 
regions'  food  establishment  classification  systems  into  the  three  risk  categories 
outlined  in  the  Blue  Book.  The  conversion  should  be  completed  in  2009. 


The  Food  Safety  Working  Group  developed  the  "Food  Establishment  Hazard 
Assessment  Worksheet,"  a  tool  for  classifying  an  establishment's  risk  class.  Six 
of  the  nine  health  regions  are  using  the  worksheet.  The  other  three  are  using 
similar  risk  assessment  tools. 

We  conclude  that  AHS  uses  a  common  risk  assessment  standard.  Management 
has  implemented  this  portion  of  the  original  recommendation. 


Frequency  has 
improved  but  does 
not  meet  standards 


Inspection  frequency 

All  health  regions  have  adopted  the  Blue  Book  guidelines:  class  3  facilities 
require  an  inspection  every  4  months,  class  2  every  6  months  and  class  1 
annually.  The  following  table  shows  each  region's  routine  inspection  load.  In 
2008,  inspection  completion  rates  at  the  nine  health  regions  ranged  from  39%  to 
100%.  The  overall  provincial  completion  rate  for  2008  was  64%  compared  to 
56%  in  2004.  Frequency  statistics  have  improved  in  eight  regions  and  three 
regions  meet  the  standard.  However,  for  the  province  as  a  whole,  approximately 
one-third  of  routine  inspections  are  not  taking  place. 
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Food  establishment  inspection  totals  by  Regional  Health  Authority 


2008 

2004 

Regional  Health 
Authority 

Expected  routine 
inspections 

Actual  routine 
inspections 

%  completed 

%  completed 

Calgary 

18,027 

6.984 

39" 

43 

Aspen 

3,772 

1,678 

45 

39 

David  Thompson 

3.898 

2,163 

56 

43 

Peace 

2,813 

2,001 

71 

41 

Chinook 

2,784 

2.149 

77 

42 

Northern  Lights 

838 

721 

86 

65 

East  Central 

1.615 

1.588 

98 

30 

Palliser 

1,201 

1.184 

99 

63 

Capital 

11,223 

1 1,280 

100  + 

97 

Provincial  Totals 

46,171 

29,748 

64%  (avg.) 

56%  (avg.) 

Shortage  of  Management  has  indicated  a  shortage  of  inspectors  continues  to  be  the 

inspectors  explanation  for  why  inspection  frequency  guidelines  are  not  met.  To  meet  these 

guidelines,  AHS  estimates  it  would  need  to  spend  roughly  $4.5  million  more 
per  year  for  additional  inspectors  and  related  supervisory  and  support  staff. 


Consistent  inspection  and  documentation 

Food  establishment  inspection  requires  professional  judgment.  It  is  not 
surprising  that  different  public  health  inspectors  use  different  inspection 
techniques.  However,  the  inspection  system  as  a  whole  needs  to  establish 
standards  to  ensure  that  essential  issues  are  covered,  assessed  consistently  and 
documented. 


Documentation  of 
inspections  vary 


AHS,  through  the  Food  Safety  Working  Group,  has  begun  to  establish  these 
standards.  The  group's  "Common  Set  of  Inspection  Elements  for  Uniform 
Reporting,"  identifies  both  critical  and  non-critical  elements  to  be  covered 
during  an  inspection.  However,  each  health  region  still  uses  its  own  checklist. 
These  checklists  vary  by  region;  some  contain  as  few  as  2 1  elements,  others  as 
many  as  34.  The  approach  to  filling  out  these  checklists  also  differs.  Some 
inspectors  use  the  exception  approach,  reporting  only  those  items  not  in 
compliance.  Those  using  computers  generally  follow  a  completion  approach, 
checking  off  items  as  they  are  covered. 


Critical  violation 
checklists  vary 


The  Food  Safety  Working  Group  also  developed  a  "Critical  Violation 
Compliance"  checklist  which  sets  out  critical  violations  under  the  food 
regulations.  Again,  inspectors  continue  to  use  a  variety  of  checklists  in  the  field. 
The  number  of  defined  critical  violations  varies  from  13  to  18  in  the  checklists 


8  This  data  is  reported  per  calendar  year  and  is  unaudited.  A  routine  inspection  is  a  formal  and  complete  inspection  to 
determine  compliance  with  Blue  Book  and  professional  standards. 
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now  in  use.  Because  a  common  set  of  inspection  elements  and  critical 
violations  has  not  been  incorporated  by  all  regions,  it  is  difficult  to  determine  if 
similar  violations  receive  the  same  treatment  across  the  province. 


Many  scheduled 
re-inspections  not 
done 


Critical  violations 

The  immediate  correction  of  critical  violations  is  a  key  preventative  control. 
The  Food  Safety  Working  Group  identified  standard  response  times  and 
re-inspection  timeframes  (in  working  days)  for  critical  violations.  However, 
when  we  tested  inspection  reports  from  1 10  establishments,  we  found  31  cases 
where  re-inspections  were  scheduled  but  never  done. 


Increased 
prosecutions  and 
executive  orders 


Use  of  enforcement  powers 

Public  health  inspectors  have  regulatory  authority  under  the  Public  Health  Act 
to  enforce  their  findings.9  In  our  2005-2006  Annual  Report,  we  noted  that 
inspectors  seemed  reluctant  to  move  up  the  enforcement  ladder.  In  2008,  we 
observe  this  has  changed.  There  has  been  an  increase  in  the  number  of 
prosecutions  and  executive  orders. 


Food  safety  prosecutions  and  orders  by  Regional  Health  Authority 


10 


Regional  Health 
Authority 

Prosecutions 

Executive  orders 

2008 

2008 

Calgary 

7 



3 

166 

Aspen 

2 

1 

31 

David  Thompson 

1 

14 

Peace 

0 

14 

Chinook 

0 

5 

Northern  Lights 

0 

11 

East  Central 

0 

3 

Palliser 

0 

4 

Capital 

17 

106 

Provincial  Totals 

27 

4 

354 

Consistent 
practices  across 
province  required 


We  conclude  that  AHS  has  made  satisfactory  progress  in  implementing  this  part 
of  our  original  recommendation.  AHS  must  now  ensure  consistent  enforcement 
action  across  the  province.  For  example,  in  2008  Aspen  prosecuted  two  food 
establishments  and  wrote  executive  orders  on  3 1.  For  the  same  period,  neither 
Chinook  nor  Palliser  (which  are  at  least  as  large  as  the  Aspen  region) 
prosecuted  any  cases  and  both  wrote  five  or  fewer  orders. 


The  Public  Health  Act,  RSA  2000,  c.P-37,  gives  public  health  inspectors  (as  executive  officers  under  the  Act)  the  power  to 
issue  executive  orders  to  facilities  that  pose  a  food  safety  risk.  Executive  orders  can  impose  a  broad  range  of  requirements  on 
the  operator,  from  requiring  immediate  rectification  of  an  issue  to  amending  permits  and  even  to  closing  a  facility. 
1  This  data  is  reported  per  calendar  year  and  is  unaudited.  All  prosecutions  in  both  2004  and  2008  resulted  in  guilty  verdicts. 
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Conflict  of  interest 
standard  met 


Innovative  tools 
were 

recommended 


Conflict  of  interest 

Alberta  Health  Services  has  a  conflict  of  interest  bylaw  that  all  staff  must 
adhere  to.  Most  health  regions  manage  the  bylaw  through  their  human  resource 
processes.  Three  health  regions  went  a  step  further  by  requiring  disclosure  b\ 
inspectors  regarding  their  memberships  and  relationships  with  organizations 
they  could  inspect. 

Management  has  implemented  this  part  of  our  original  recommendation. 
What  remains  to  be  done 

Alberta  Health  Services  will  finish  implementing  this  recommendation  when: 

•  food  establishments  are  inspected  within  province-wide  frequency 
standards 

•  inspections  are  carried  out  and  documented  on  a  consistent  basis 

•  critical  violations  are  followed  up  in  a  required  timeframe  to  ensure 
identified  violations  have  been  corrected 

•  enforcement  actions  are  consistently  administered  across  the  province 

Implications  and  risks  if  recommendation  not  implemented 

If  regulators  do  not  implement  consistent  inspection  practices  across  the 
province,  levels  of  food  safety  inspection  may  vary.  Lower  standards  of 
inspection  can  lead  to  adverse  human  health  impacts.  When  inspections  fall 
behind  frequency  targets,  public  health  risk  may  increase. 

Without  consistent  documentation,  management  will  not  have  the  information 
they  need  to  analyze  the  effectiveness  of  their  programs. 

Without  timely  action  on  known  food  safety  issues,  food  safety  regulators 
accept  an  increased  risk  to  Albertans'  health.  Without  timely  and  effective 
follow-up,  food  establishments  with  chronic  poor  food  safety  practices  will 
continue  to  operate  and  expose  Albertans  to  the  risk  of  food-borne  illness. 

4.2  Tools  to  promote  and  enforce  food  safety— satisfactory  progress 
Background 

In  our  2005  2006  Annual  Report  (vol.  1— page  83),  we  recommended  that 
AHS  and  Health  consider  a  wider  range  of  tools  to  promote  and  enforce  food 
safety. 

We  noted  that  Alberta's  regulators  should  consider  innovative  approaches  to 
improve  food  safety.  Many  jurisdictions  outside  Alberta  had  implemented 
innovations  and  reported  on  their  effectiveness. 
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Criteria:  the  standards  we  used  for  our  audit 

The  regulators  should  have  the  legislative,  regulatory  and  promotional  tools 
needed  to  exercise  their  food  safety  mandate.  Practices  should  be  consistent 
across  the  food  safety  continuum. 


Restaurant 
inspections 
disclosed 


Our  audit  findings 

Effective  July  1,  2008,  the  Minister  of  Health  and  Wellness  directed  all  health 
regions  to  disclose  the  results  of  restaurant  inspections  on  their  websites.  All 
regions  complied.  Other  food  establishment  inspections,  such  as  those  of 
grocery  stores  or  meat  facilities,  are  not  disclosed.  As  well,  the  disclosure  by 
health  region  varies;  some  include  the  entire  inspection  report  while  others 
disclose  critical  violations  only. 


HACCP  training 
and  concepts  have 
been  introduced 


Hazard  Analysis  Critical  Control  Point  (HACCP)  is  an  internationally 
recognized,  science-based  preventative  approach  to  food  safety.  HACCP  can  be 
implemented  in  food  establishments  by  the  operators  to  enhance  food  safety. 
Some  jurisdictions  have  mandated  HACCP  (or  less  arduous  processes  based  on 
HACCP  principles)  to  oblige  operators  to  increase  their  food  safety  activities. 
Since  our  original  audit,  HACCP  concepts  have  been  introduced  in  the 
province's  training  course  for  food  handlers.  As  well,  HACCP  training  has  been 
provided  to  public  health  inspectors. 


Other  tools 
identified 


The  Food  Safety  Working  Group  identified  further  innovative  approaches  to 
food  handler  education,  certification  and  on-the-job  training,  as  well  as 
enhanced  food  testing  techniques.  AHS  and  Health  have  not  decided  which  of 
these  approaches  will  be  implemented. 


What  remains  to  be  done 

Alberta  Health  Services  and  Health  will  fully  implement  this  recommendation 
when  they  complete  their  process  to  assess  and  implement  innovative  solutions 
to  food  safety  issues  such  as  those  identified  by  the  Food  Safety  Working 
Group. 


Implications  and  risks  if  recommendation  not  implemented 

Without  exploring  innovative  initiatives,  regulators  may  not  have  the  best 
support  and  sanctions  to  improve  operator  performance.  Without  innovative 
practices,  borderline  food  safety  practices  by  operators  may  not  be  eliminated. 
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4.3  Food  safety  information  systems — recommendation  repeated 

We  have  repeated  this  recommendation,  first  made  as  Key  Recommendation 
No.  7  in  our  2005-2006  Annual  Report  (vol.  1— page  84). 

Recommendation  No.  10 — repeated 

We  again  recommend  that  Alberta  Health  Services,  supported  by  the 
Department  of  Health  and  Wellness,  improve  their  automated  food  safety 
information  systems.  This  includes: 

•  enhancing  system  management,  security,  and  access  control 

•  ensuring  data  consistency 

•  ensuring  that  service  level  agreements  are  in  place 

•  developing  reporting  capacity  for  management  and,  accountability 
purposes 


Three  systems 
used  at  health 
reuions 


Background 

The  health  regions  use  three  different  software  packages  to  collect  and  store 
environmental  health  information  (including  food  safety  information):  TMS, 
Caseworks  and  Hedgehog.  All  three  packages  support  food  safety  activities 
such  as  issuing  permits,  calculating  risk  for  each  establishment,  recording 
inspections,  scheduling  re-inspections  and  reporting  summary  results.  There  is 
no  common  software  package  for  the  province  as  a  whole.  Health  does  not 
access  the  systems  that  AHS  currently  uses,  does  not  collect  regional 
environmental  health  data  and  does  not  have  a  system  to  store  it. 

Criteria:  the  standards  we  used  for  our  audit 

Information  systems  should  be  well  designed,  controlled  and  operated. 
Managers  should  define  the  information  they  need  to  plan,  manage  and  report 
on  their  key  businesses;  the  infonnation  systems  should  collect  that  data. 
Systems  should  be  secure,  including  access,  input  and  processing  controls. 
Systems  should  collect  and  maintain  timely,  complete  and  accurate  data. 
Management  should  periodically  review  to  ensure  data  quality.  Data  should  be 
accessible  to  those  who  need  it.  Information  systems  should  be  efficient  and 
reliable. 


No  changes  in 
security  and 
access  since  2006 


AHS  and  Health 
need  separate 
systems 


Our  audit  findings 

AHS  has  not  changed  the  food  safety  information  systems  at  the  health  regions. 
Whatever  was  in  place  in  2006  still  operates  in  the  same  way  today.  The  system 
management,  security,  access  control  and  service  level  agreement  issues  raised 
in  2006  are  repeated. 

The  Food  Safety  Working  Group  recommended  a  single  environmental  health 
information  management  system  for  the  province.  Initially,  the  entities 
considered  whether  one  system  would  serve  both  AHS  and  Health.  They 
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decided  that  AHS  and  Health  would  each  require  its  own  system.  This 
reinforces  the  need  for  coordinated  effort  to  ensure  both  entities  secure  the  data 
they  need  to  plan,  manage  and  satisfy  accountability  expectations. 


Information 
system  planning  at 
Health 


Health  has  prepared  its  own  "go  forward  plan"  which  outlines  strategies  to 
improve  the  quality  and  timeliness  of  environmental  health  information.  Food 
safety  is  an  important  component  of  this  plan.  It  requires  Health  to  develop 
outcome  indicators,  performance  measures  and  data  elements  for  its  new 
system.  The  plan  has  not  yet  established  timelines  for  developing  and 
implementing  the  system. 


Health  to  define 

information 

requirements 


In  the  interim,  Health  does  not  want  to  impede  AHS's  information  system 
development,  and  plans  to  define  provisional  requirements  for  environmental 
health  data  sets  and  indicators  in  summer  2009.  The  objective  is  for  Health  to 
determine  what  information  is  required.  AHS  will  provide  that  information,  no 
matter  what  system  it  decides  to  implement.  At  present  AHS  has  no  formal  plan 
or  timeline  for  its  system  development. 


Implications  and  risks  if  recommendation  not  implemented 

Without  adequate  security  for  their  computerized  information  systems,  health 
regions  run  the  risk  of  lost  or  corrupt  data.  This  can  have  an  impact  on 
managing  the  business  and  supporting  regulatory  decisions.  Without  strong 
service  level  agreements  in  place,  health  regions  may  face  an  unexpected 
service  disruption  due  to  issues  with  the  software  vendor. 

Without  a  defined  data  set  for  the  province,  efforts  to  collect  consistent  data 
will  be  undermined.  Without  discussing  data  needs  with  other  potential  data 
users,  those  users  will  not  be  able  to  access  the  data  that  would  improve  their 
analysis  of  food  safety  and  public  health  issues. 


Permits  required 
to  operate 


4.4  Compliance  with  permitting  legislation — implemented 
Background 

In  order  to  operate,  a  food  establishment  requires  a  valid  permit.  The  Minister 
of  Health  sets  the  fees.  The  health  regions  issue  the  annual  permit  and  collect 
the  fees.  Permits  will  not  be  issued  unless  fees  are  collected. 


In  our  2005-2006  Annual  Report  (No.  8 — vol.  1,  page  87),  we  recommended 
that  AHS  ensure  their  food  establishment  permitting  practices  comply  with 
legislation  and  are  efficient. 
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Permits  now 
current 


Our  audit  findings 

All  health  regions  have  streamlined  their  permitting  processes.  They  have 
established  payment  dates  and  processes  that  allow  establishments  to  comply 
with  regulations.  In  particular,  establishments  get  their  permits  before  the 
permit  year  begins. 


Agriculture's 
surveillance 
programs  needed 
to  improve 


4.5  Agriculture's  surveillance  program— satisfactory  progress 
Background 

In  our  2005-2006  Annual  Report  (No.  9 — vol.  1 ,  page  88),  we  recommended 
that  the  Department  of  Agriculture  and  Rural  Development  improv  e  the 
administration  of  its  food  safety  surveillance"  programs.  This  included: 

•  documenting  its  prioritization  processes 

•  involving  partners  in  the  prioritization  of  projects 

•  ensuring  conditions  for  the  approval  of  specific  projects  are  met  and  final 
approval  recorded 

•  capturing  costs  for  large  projects 

•  monitoring  the  impact  of  surveillance  projects 

•  considering  whether  regulatory  support  for  the  program  is  required 

Criteria:  the  standards  we  used  in  our  audit 

The  Food  Safety  Division  (FSD)  should  ensure  its  process  to  select,  implement 
and  monitor  surveillance  projects  is  appropriate.  There  should  be  effective 
coordination  between  food  safety  partners  to  ensure  initiatives  are  properly 
prioritized.  Surveillance  programs  should  be  operated  effectively  and 
efficiently.  Managers  should  monitor  results  and  take  appropriate  actions,  based 
on  program  results. 


New  system 
implemented 


Our  audit  findings 

Agriculture  has  developed  and  is  implementing  a  new  system  designed  "to  plan, 
select  and  manage  [surveillance]  work,  and  realize  results  that  provide  the 
greatest  benefit." 12  The  system's  design  satisfies  the  issues  we  raised  in  our 
original  audit.  Some  elements  of  the  new  system  are  still  being  implemented. 
This  is  why  three  of  six  sub-recommendations  are  still  in  progress. 


Prioritization 
focuses  on  food 
safety  issues 


Prioritization  processes 

In  its  new  system,  Agriculture  prioritized  seven  food  safety  topics.13  Each  topic 
has  a  specialist  issue  team.  Each  team  develops  specific  food  safety  issues 
within  its  topic.  For  example,  BSE  (mad  cow  disease)  in  cattle  is  an  issue 


11  Surveillance  refers  to  the  collection,  analysis  and  interpretation  of  food  safety  information. 

12  Taken  from  an  internal  PowerPoint  presentation  created  by  FSD  entitled  Results  Chains:  Integration  of  a  value 
management  concept  in  FSD  (undated). 

13  The  seven  high-level  food  safety  topics  are:  transmissible  spongiform  encephalopathies  (TSEs);  parasites;  chemical 
containment;  bacteria;  viruses;  antimicrobial  resistance;  and  syndromes. 
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Issues  have 
desired  outcomes 


within  the  TSE  topic.  At  the  time  of  our  audit,  Agriculture  had  identified 
58  issues.  Agriculture  prioritizes  these  issues  by  considering  scientific,  social 
and  political  criteria  following  a  systematic  process. 

For  the  most  critical  issues,  Agriculture  creates  a  "results  chain."  Using 
flowcharting  techniques,  a  results  chain  defines  the  desired  outcomes  for  that 
issue.  For  example,  "decreased  contamination  in  a  finished  product"  may  be  a 
desired  outcome.  The  chain  then  defines  and  links  projects,  initiatives  and 
barriers  that  may  contribute  to  or  threaten  the  achievement  of  the  desired 
outcomes.  At  the  time  of  our  audit,  Agriculture  had  completed  28  results  chains 
and  is  completing  more  based  on  its  prioritization  of  the  issues. 

The  prioritization  process  has  been  standardized  and  documented.  This 
implements  our  first  sub-recommendation. 


Partner 

involvement  not 
formalized 


Involving  partners 

Agriculture  has  not  yet  formally  involved  partners  or  stakeholders  in  the 
development  and  prioritization  of  food  safety  issues.  Using  a  results  chain 
approach,  Agriculture  identifies  the  actions  necessary  for  government,  industry 
and  stakeholders  to  achieve  an  identified  outcome.  Within  the  new  system, 
Agriculture  seeks  partners  when  a  potential  surveillance  project  needs  an 
industry  partner.  The  opportunity  to  engage  partners  and  stakeholders  earlier 
should  be  considered  and  formalized.  Therefore,  this  sub-recommendation  is 
still  in  progress. 


Project  approval 
process  well 
designed 


Approval  process 

From  the  original  audit,  we  recommended  that  conditions  of  approval  be  met 
and  final  approval  be  recorded.  Proposed  projects  are  reviewed  and  endorsed  by 
a  project  team,  a  project  sponsor,  the  appropriate  food  safety  issue  team,  and 
approved  by  FSD's  Senior  Leadership  Team14.  FSD  records  and  stores  its 
surveillance  prioritization  decisions  and  related  documents  on  the  computerized 
Project  Reports  Database.  FSD  has  successfully  implemented  this 
sub-recommendation. 


Tracking  costs  is 
better;  plans  in 
place  to  further 
improve 


Costing 

As  in  the  original  audit,  capturing  cost  information  can  improve.  FSD  now  has 
a  staff  member  specifically  tracking  and  reporting  costs.  However,  in-kind  costs 
(those  related  to  internal  departmental  resources  like  laboratory  services  or  staff 
time)  are  not  always  complete  because  Agriculture  lacks  systems  to  capture 
them.  For  example,  currently  a  surveillance  team  member's  time  would  be 
captured  only  if  a  portion  of  their  salary  had  been  budgeted  to  the  particular 


14  The  Senior  Leadership  Team  is  comprised  of  members  from  the  three  Food  Safety  Division  branches  and  their  Director. 
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project  and  then  allocated  to  project  costs  for  the  year.  This  typically  only 
happens  for  senior  employees'  time.  Capturing  staff  time  will  improve  as  the 
Department  is  planning  a  system  to  record  staff  time  by  project  code.  As  a 
result,  we  conclude  the  Department  is  making  satisfactory  progress  on  this 
sub-recommendation. 


Project 

information  is 
available  and 
results  are  shared 


Regulatory  change 
sought  if  required 


Monitoring  impact  of  surveillance  projects 

To  influence  food  safety  positively,  the  knowledge  gathered  through 
surveillance  projects  needs  to  find  its  way  into  practice.  As  we  reported  in 
2006,  projects  usually  end  with  a  publication.  FSD  rightly  considers  publication 
a  criterion  for  determining  the  impact  of  a  project.  For  its  recent  projects.  FSD 
also  reports  how  project  participants  themselves  have  implemented  surveillance 
recommendations.  For  example,  before  FSD's  "boot  bath"  project"  began, 
three  of  eight  partners  used  boot  baths  in  their  facilities;  after  the  project,  seven 
implemented  boot  baths.  FSD  should  extend  this  type  of  analysis  to  determine 
the  impact  of  its  surveillance  projects.  We  conclude  that  Agriculture  has  made 
satisfactory  progress  with  this  sub-recommendation. 

Considering  need  for  regulatory  support 

Within  the  new  system,  FSD  considers  the  need  for  regulatory  support  in  the 
context  of  a  particular  results  chain.  If  a  project,  activity,  or  barrier  requires 
regulatory  support  in  order  to  promote  positive  food  safety  outcomes, 
regulatory  support  will  be  sought.  This  satisfies  our  last  sub-recommendation. 


What  remains  to  be  done 

Agriculture  should: 

•  involve  stakeholders  and  partners  in  its  surveillance  issue  identification  and 
prioritization  processes 

•  implement  systems  to  capture  in-kind  costs  for  specific  surveillance 
projects — Department-wide  systems  may  provide  the  solution  to  some  of 
these  cost-capture  requirements 

•  extend  its  analysis  of  surveillance  project  results  to  determine  whether  its 
projects  ultimately  contribute  to  food  safety  outcomes 

Implications  and  risks  if  recommendation  not  implemented 

Food  safety  partners  and  stakeholders  can  add  a  practical,  commercial 
enterprise  point  of  view  to  the  identification  and  prioritization  of  food  safety 
issues.  Industry  involvement  at  the  prioritization  level  may  help  identify 
potential  project  partners.  Without  cost  information,  management  is  missing  a 
component  in  the  cost-benefit  analysis  of  its  projects.  Without  understanding 


15  The  project's  objective  was  to  determine  if  disinfecting  boot  baths  placed  outside  slaughter/kill  floors  in  abattoirs  assist  in 
reducing  the  microorganism  count  on  the  footwear  of  plant  personnel  upon  entering  and  exiting.  The  study  determined  they 
do;  the  bacterial  reduction  was  statistically  significant. 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


103 


Health  and  Wellness 


Food  Safety — Follow-up 


whether  their  projects  have  made  an  impact  in  practice,  FSD  will  not  be  able  to 
assess  their  program's  effectiveness. 

4.6  Agriculture's  inspection  and  investigation  programs — implemented 
Background 

In  our  2005-2006  Annual  Report  (No.  10 — vol.  1 ,  page  91),  we  recommended 
that  the  Department  of  Agriculture  and  Rural  Development  improve  its 
inspection  and  investigation  programs  by  ensuring: 

•  it  considers  a  broader  range  of  enforcement  tools 

•  inspections  are  up  to  date 

•  practices  for  complaints,  incident  reports  and  held  tags16  are  consistent 

Our  audit  findings 
Enforcement  tools 

The  Regulatory  Services  Division  (RSD)  analyzed  the  need  for  further 
legislative  authority.  It  concluded  that  further  penalties  were  not  required.  RSD 
also  developed  a  "compliance  principles"  document  to  guide  inspector  and 
investigator  responses  to  non-compliance.  Inspectors  and  investigators  now  use 
these  principles  to  guide  their  actions. 

Up-to-date  inspections 

In  2006,  inspectors  attended  all  slaughter  dates  as  the  regulations  dictate,  but 
other  routine  inspections  covering  bulk  milk  graders,  transport  vehicles  and 
dairy  farms  were  behind  schedule.  These  routine  inspections  are  now  up  to  date. 
For  example,  dairies  are  inspected  every  two  years  unless  non-compliance  is 
observed,  in  which  case  inspection  frequency  increases  until  issues  are 
addressed. 

Complaints,  incident  reports  and  held  tags 

RSD  has  standardized  its  management  of  complaints,  incident  reports  and  held 
tags.  For  example,  all  complaints  are  treated  as  incidents  whose  disposition  is 
recorded  on  Agridam.17  As  well,  held  tags  are  now  tracked  at  the  facilities 
where  the  tags  are  issued. 


Non-compliance 

principles 

developed 


Dairy  inspections 
up-to-date 


Standardized 
process  developed 


16  Under  Alberta's  Meat  Inspection  Act  and  Meat  Inspection  Regulation  42/2003,  inspectors  can  hold  a  carcass  (or  part  of  it) 
to  prevent  its  further  processing.  The  inspector  does  so  by  affixing  a  tag  with  the  words  "Alberta  held"  to  the  carcass.  Only  an 
inspector  can  affix  or  remove  held  tags.  Typically  the  inspector  holds  a  carcass  while  awaiting  lab  results  to  confinn  that  it  is 
fit  for  human  consumption.  Inspectors  can  also  use  held  tags  to  prevent  use  of  "any  equipment,  surface  or  room  [that]  does 
not  meet  the  requirements  of  the  legislation"  (paragraph  39(  1 )  of  the  Regulation). 

17  Agridam  is  Regulatory  Services  Division's  food  safety  application  that  is  used  to  track  information  related  to  meat 
inspections,  investigations  and  licensing. 
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Supervisor) 
review  enhanced 


Access  controls 
and  data  collection 
could  improve 


In  2008,  RSD  added  an  internal  inspection  process  whereby  regional  managers 
directly  review  an  inspection  by  their  red  meat  inspectors.  The  supervisor's 
review  reinforces  consistency  in  processes  such  as  daily  checklists,  held  tags, 
and  ante-  and  post-mortem  inspection  procedures. 

4.7  Agriculture's  food  safety  information  systems— satisfactory  progress 
Background 

In  our  2005-2006  Annual  Report  (vol.  1 — page  94),  we  recommended  that  the 
Department  improve  its  food  safety  information  systems.  This  included: 

•  improving  security  and  access  controls 

•  ensuring  complete,  timely  and  consistent  data  collection 

•  ensuring  data  gets  converted  onto  the  computerized  database 

We  suggested  ways  that  food  safety  information  systems  could  gather  further 
key  data  and  improve  data  use.  We  found  staff  using  inadequate  passwords  and 
sharing  sign-on  IDs,  thereby  compromising  information  systems'  security.  Data 
collection  was  hampered  by  inconsistent  numbering  conventions  for 
surveillance  projects.  We  also  expressed  concern  over  the  transfer  of 
information  from  ANHSURS1*  and  other  data  sources  to  the  new  AIMS19 
computer  system. 

Criteria:  the  standards  we  used  for  our  audit 

Information  systems  should  be  well  designed,  controlled  and  operated. 
Managers  should  define  the  information  they  need  to  plan,  manage  and  report 
their  key  businesses;  the  information  systems  should  collect  that  data.  Systems 
should  be  secure,  including  access,  input  and  processing  controls.  Systems 
should  collect  timely,  complete  and  accurate  data.  Data  should  be  accessible  to 
those  who  need  it.  Information  systems  should  be  efficient  and  reliable. 


System 

development  a 
slow  process 


Access  controls 
have  improved 


Our  audit  findings 

Information  systems  in  RSD  and  FSD  are  small;  most  run  on  outdated  software 
platforms  such  as  Lotus  Notes.  Each  division  supports  its  own  systems  and 
support  resources  are  limited.  As  a  result,  systems  development  is  a  slow 
process. 

Security  and  access  controls 

Access  control  for  the  Agridam  and  AIMS  systems  significantly  improved. 
Staff  now  must  go  through  the  Department's  central  sign-on  system  to  get  to 
these  applications.  Central  sign-on  enforces  minimum  standards  for  passwords. 
Agriculture  eliminated  the  sharing  of  sign-ons. 


IS  ANHSURS  refers  to  Animal  Health  Surveillance  System.  This  system  records  raw  data  (e.g.,  laboratory  findings  or  field 
tests)  from  surveillance  and  other  projects. 

]g  AIMS  refers  to  Agri-Food  Information  Management  System.  It  is  the  replacement  system  for  ANHSURS. 

Report  of  the  Auditor  General  of  Alberta 
October  2009 


105 


Health  and  Wellness 


Food  Safety — Follow-up 


Sensitive  or 
confidential  data 
not  restricted 


In  terms  of  access  security,  anyone  with  access  to  the  Projects  Reports  Database 
can  view  all  project  data.  The  Database  is  not  classified  according  to  sensitive 
or  confidential  data. 


More  information 
could  be  recorded 
in  Agridam 


Data  collection 

Our  concern  with  Agridam  was  that  more  types  of  data  could  be  collected,  and 
that  data  could  be  analyzed  to  enhance  inspection  and  investigation  programs. 
Agriculture  decided  to  use  its  resources  to  build  a  tracking  functionality  into 
Agridam,  so  work  on  our  recommendation  has  not  advanced. 


Project  numbering 
corrected 


FSD  has  corrected  the  numbering  of  its  surveillance  projects  by  assigning 
unique  numbers  on  the  Project  Reports  Database.  FSD  can  now  prepare  a 
complete  inventory  of  projects.  It  has  also  assigned  a  staff  member  to  ensure 
updates  to  the  Database  are  entered  on  a  timely  basis. 


BSE  data 
transferred  to  new 
database;  no 
organized 
archiving  of  other 
data 


Data  conversion 

FSD  populated  the  new  AIMS  database  with  only  the  data  from  historical  BSE 
projects.  This  was  done  to  save  time  and  money  on  the  change  to  the  new 
system.  The  data  related  to  all  other  projects  remains  in  whatever  form  it  was  in 
2006.  For  example,  hard  copy  materials  have  not  been  archived  in  an  organized 
manner.  Documentation  resides  with  the  originating  lab  or  scientist  and  if 
required  will  have  to  be  tracked  down  through  that  source. 


What  remains  to  be  done 

Agridam  should  capture  more  data  and  its  search  functionality  can  improve. 
Data  captured  on  the  Project  Reports  Database  should  be  evaluated  for  risk,  and 
access  to  sensitive  data  should  be  restricted.  Data  from  earlier  surveillance 
projects  (with  the  exception  of  BSE  projects)  should  be  identified  and  access 
should  be  assured. 

Implications  and  risks  if  recommendation  not  implemented 

Without  key  data  and  the  capacity  to  interrogate  that  data,  Agridam  will  not 
perform  to  its  full  potential.  Without  adequate  access  control,  sensitive  data 
may  be  available  to  unauthorized  parties.  Results  of  completed  surveillance 
projects  could  be  lost  if  not  catalogued  and  protected.  This  is  important  because 
some  of  that  data  could  provide  a  baseline  for  future  projects. 
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4.8  Integrated  food  safety  planning  and  activities — recommendation 
repeated 

Wc  first  made  numbered  recommendation  1  1  in  our  2005-2006  Annual  Report 
(vol.  1 — page  97).  That  recommendation  contained  six  sub-recommendations. 
We  have  repeated  two  of  six  sub-recommendations. 

Recommendation  No.  11 — repeated 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and 
Agriculture  and  Rural  Development,  in  cooperation  with  Alberta  Health 
Services  and  federal  regulators,  improve  planning  and  coordination  of  food 
safety  activities  and  initiatives.  This  includes: 

•  improving  day-to-day  coordination  of  prov  incial  food  safety  activities 

•  improv  ing  cooperation  and  working  relationships  among  provincial 
and  federal  partners  such  as  the  First  Nations  and  Inuit  Health 
Branch  and  the  Canadian  Food  Inspection  Agency 

In  addition  to  the  two  sub-recommendations  being  repeated,  recommendation 
1 1  included  four  other  sub-recommendations.  We  recommended  that  the 
Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development, 
in  cooperation  with  Alberta  Health  Services  and  federal  regulators: 

•  define  their  own  food  safety  policies,  objectives  and  measures 

•  coordinate  provincial  food  safety  policies  and  planning  so  initiatives  are 
integrated 

•  ensure  provincial  approaches  align  with  initiatives  being  developed 
through  federal-provincial-territorial  committees 

•  encourage  the  joint  application  of  H  ACCP  and  HACCP-related  programs 
in  Alberta 

We  conclude  that  management  has  made  satisfactory  progress  on  these  four 
sub-recommendations. 


Coordinating 
mechanisms 
among  the  many 
participants 


Background 

In  our  2005-2006  Annual  Report,  we  outlined  the  mechanisms  to  coordinate 
food  safety  regulators'  activities  in  Canada  and  in  Alberta.  We  also  noted  the 
challenges  those  mechanisms  faced. 

•  At  the  national  level,  a  variety  of  federal-provincial-territorial  (FPT) 
committees  brought  together  participants  with  food  safety  interests.  At  that 
time,  FPT  committees  overlapped  on  several  issues  and  progress  toward  a 
national  food  safety  strategy  was  slow. 

•  Within  Alberta,  neither  ministry  had  completed  a  food  safety  strategy. 
Health's  efforts  to  create  a  "public  health  strategic  plan"  had  lost 
momentum.  Agriculture  had  adopted  a  food  safety  goal  and  had  developed 
aspects  of  a  strategic  plan  for  food  safety.  At  the  time,  progress  on 
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Agriculture's  strategic  plan  was  slow  and  neither  project  was  integrated 
with  the  other's  provincial  strategic  initiatives. 

•  On  an  operational  level,  the  federal  and  provincial  regulators  in  Alberta 
needed  to  coordinate  activities  on  issues  of  common  interest.  The  formal 
mechanism  was  CAPiFS.20  We  reported  that  CAPiFS  needed  to  renew  its 
terms  of  reference  because  new  members  had  joined  the  original  group  of 
Health  Canada,  Agriculture  and  Health. 

•  The  nine  health  regions  relied  on  DC921  to  coordinate  food  safety 
initiatives.  However,  DC9  did  not  have  a  formal  mandate  and  was  having 
difficulty  completing  specific  tasks. 

Criteria:  the  standards  we  used  for  our  audit 

In  a  multi-jurisdictional  environment  of  shared  responsibility  such  as  food 
safety,  there  should  be  integration  and  coordination.  Alberta's  ministries, 
departments  and  agencies'  policies  and  programs  should  be  coordinated 
province-wide.  The  foundation  for  food  safety  programs  should  be  consistent 
across  the  province. 

Our  audit  findings 
Repeated  sub-recommendations 

The  formal  coordination  of  food  safety  activities  in  the  province  needs  to  be 
redesigned.  On  a  positive  note,  initiatives  such  as  the  FPT  Food  Safety 
Committee,  the  work  of  CAPiFS  in  developing  a  draft  Alberta  Food  Safety 
Strategy  and  the  two  departments'  work  on  their  strategic  plans  have  kept 
communication  amongst  participants  open  over  the  past  three  years.  And 
informally  there  is  contact  and  cooperation  between  Agriculture,  Health,  and 
AHS  on  specific  outbreaks  and  food  safety  issues  as  they  arise. 

CAPiFS  However,  Agriculture  and  Health  want  to  improve  operational  coordination  by 

refocusing  the  work  of  CAPiFS.  The  partners  feel  they  can  realize  greater  value 
for  money  than  in  the  past,  but  have  not  defined  a  new  structure  or  mandate  for 
the  entity.  Since  2007,  CAPiFS  has  not  had  a  full-time  coordinator;  an 
Agriculture  manager  now  chairs  the  group.  Because  of  workload  and  priorities 
related  to  the  development  of  national  and  provincial  food  safety  strategies  and 
to  the  consolidation  at  Alberta  Health  Services,  CAPiFS  has  not  held  some  of 
its  normally  scheduled  monthly  meetings  and  not  resolved  many  of  the  food 
safety  issues  it  could  address.22  Aligning  CAPiFS  to  deliver  on  an  Alberta  Food 
Safety  Strategy  would  result  in  identification  and  management  of  food  safety 


20  Canada-Alberta  Partners  in  Food  Safety  is  a  joint  undertaking  of  Health  Canada,  the  Canadian  Food  Inspection  Agency, 
Health,  Agriculture  and  AHS.  The  first  four  entities  provided  CAPiFS'  financing  and  resources. 

21  DC9  is  a  group  formed  by  the  environmental  health  directors  from  each  of  the  nine  health  regions.  Although  the  nine 
regions  are  now  united,  DC9  continued  to  meet  throughout  our  follow-up  audit. 

22  See  section  4.9  for  examples  of  issues  that  CAPiFS  could  address. 
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risks  and  improvements  in  the  coordination  and  coverage  of  food  safety 
directives  across  the  province.  Refocusing  CAPiFS  could  also  provide  an 
opportunity  to  increase  the  participation  of  federal  partners  such  as  the  First 
Nations  and  Inuit  Health  Branch  of  Health  Canada. 


An  example  of 
how  coordination 
could  improve 


The  2008  review  of  the  mobile  butchers"  facilities  illustrates  how  coordination 
can  improve.  We'll  discuss  the  content  of  that  review  in  the  next 
recommendation,  but  here  we  talk  about  process.  The  review  was  led  by 
Agriculture  who  hired  a  consultant  to  review  the  status  of  mobile  butchers  in 
Alberta.  The  consultant  invited  both  Agriculture  and  AHS  staff  to  the  facility 
visits.  The  consultant  completed  the  review  and  submitted  his  report  to 
Agriculture.  Many  of  the  facilities  presented  food  safety  risks.  At  that  time, 
AHS  still  regulated  these  facilities.  Agriculture  shared  the  final  report  with 
Health  but  neither  Agriculture  nor  Health  passed  it  along  to  AHS.  As  well,  no 
further  action  was  taken  by  the  regulators  to  correct  the  known  food  safety 
risks.  A  coordinated  response  would  have  seen  the  risks  promptly  mitigated. 


Policies  have  been 
reviewed 


Sub-recommendations  with  satisfactory  progress 

Since  our  2005-2006  Annual  Report,  there  has  been  identifiable  progress  in 
developing  food  safety  policies  and  strategies.  We  outline  some  of  the 
important  initiatives  and  what  remains  to  be  done. 


Draft 

Environmental 
Public  Health 
Strategic  Plan 


Health  led  a  cross-ministry  initiative  to  create  a  draft  Environmental  Publie 
Health  Strategic  Plan.  Food  safety  is  one  component  of  environmental  public 
health.  The  Plan  is  written  so  that  all  ministries  with  responsibilities  in  the 
environmental  public  health  field  can  follow  a  common  vision,  mission  and 
goals,  then  implement  in  a  coordinated  fashion.  AHS,  Agriculture  and  other 
departments  participated  in  the  development  of  the  Plan.  The  Plan  was 
completed  in  December  2008,  but  has  not  yet  been  approved. 


Draft  Alberta 
Food  Safety 
Strategy 


Agriculture  initiated  and  CAPiFS  completed  a  draft  Alberta  Food  Safety 
Strategy  in  April  2008.  The  Alberta  Food  Safety  Strategy'  awaits  approval  of  the 
national  strategy  for  safe  food.  Again,  the  Strategy  had  cross-ministry  input.  It 
proposes  initiatives  in  four  areas: 

•  greater  standardization  and  controls  (including  enhanced  governance  and 
accountability) 

•  optimizing  resources  (e.g.,  IT,  financial  and  knowledge  management) 

•  improved  operations 

•  effective  change  management 


FPT  committee 
work 


In  our  2005-2006  Annual  Report,  we  discussed  the  FPT  committees  with 
overlapping  interests  in  food  safety.  Since  then,  participants  have  reduced  the 
number  of  FPT  committees;  now  most  FPT  food  safety  deliberation  flows 
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Alberta  HACCP 

Advantage 

program 


HACCP  training 
provided  to  health 
inspectors  and 
food  handlers 


through  the  Food  Safety  Committee.  The  committee  consists  of  39  members 
from  across  Canada  and  is  co-chaired  by  a  senior  Agriculture  staff  member. 
Health  is  also  represented  on  the  committee.  Alberta's  own  safe  food  strategy 
was  developed  in  parallel  with  the  FPT  committee's  national  strategy,  so 
Alberta's  initiatives  align  with  the  national  strategy. 

In  2006,  Agriculture  introduced  the  Alberta  HACCP  Advantage  (AHA) 
program.  This  is  a  federally  funded  program  administered  by  Agriculture.  By 
the  end  of  March  2009,  253  processors  have  used  AHA  grants,  advice  and  audit 
services  to  implement  HACCP  in  their  operations. 

The  restaurant  sector  has  not  been  as  quick  to  integrate  HACCP  into  their 
operations  as  food  processers  have  been.  There's  not  the  same  trade-based 
imperative  for  restaurants,  nor  do  smaller  restaurants  have  the  resources  to 
implement  full-blown  HACCP.  However,  as  a  starting  point,  HACCP  training 
has  been  rolled  out  to  public  health  inspectors  and  food  handlers. 

What  remains  to  be  done 

The  Alberta  ministries'  two  strategic  documents,  the  Environmental  Public 
Health  Strategic  Plan  and  the  Alberta  Food  Safety  Strategy,  represent  a 
strategic  foundation  for  food  safety.  The  FPT  National  Strategy  for  Safe  Food 
is  closely  aligned  to  Alberta's  documents.  The  plans  need  to  be  approved  and 
their  coordinated  initiatives  need  to  be  implemented.  Whether  and  how  HACCP 
or  HACCP-related  programs  will  be  used  by  secondary  and  tertiary  food 
processors  in  Alberta  needs  to  be  resolved. 

Implications  and  risks  if  recommendation  not  implemented 

Without  integrated  strategies  for  food  safety  in  Alberta,  individual  programs 
may  not  be  as  coordinated,  effective  or  efficient  as  they  could  be.  If  regulators 
do  not  resolve  jurisdictional  and  information  sharing  issues,  food 
establishments  in  Alberta  may  not  be  routinely  and  fully  inspected. 

4.9  Eliminating  gaps  in  food  safety  inspection  coverage— recommendation 
repeated 

We  have  repeated  this  recommendation,  first  made  as  an  unnumbered 
recommendation  in  our  2005-2006  Annual  Report  (vol.  1— page  102).  We 
reported  gaps  in  coverage  of  food  establishments  because  those  establishments 
did  not  fit  clearly  within  the  mandate  of  one  regulator  or  another.  This  is  where 
lack  of  clarity  in  roles  and  responsibilities  allows  higher  risk  facilities  to 
operate. 
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Recommendation  No.  12 — repeated 

We  again  recommend  that  Alberta  Health  Services  and  the  Departments  of 
Health  and  Wellness  and  Agriculture  and  Rural  Development,  working 
with  federal  regulators,  eliminate  the  existing  gaps  in  food  safety  coverage 
in  Alberta.  Gaps  include: 

•  mobile  butchers 

•  consistently  administering  the  Meat  Facility  Standard 

•  coordinating  inspections  in  the  "non-federally  registered''  sector 


Mobile  butchers 


Meat  Facility 
Standard  was  a 
joint  effort 


Two  types  of 
CFIA  inspections 


Background 

A  mobile  butcher  slaughters  animals  on  the  animal  owner's  premises.  The  meat 
is  for  the  owner's  use  and  cannot  be  sold.  The  mobile  butcher  eviscerates,  skins 
and  halves  the  animals  on  site.  In  many  cases,  the  mobile  butcher  then  takes  the 
halves  back  to  his  own  facility  for  further  processing.  Agriculture  licenses  the 
mobile  butcher,  but  historically  the  health  regions  licensed  the  mobiler's 
processing  facility. 

Collaboration  between  the  Ministries  of  Agriculture  and  Health  produced  the 
Meat  Facility  Standard.  The  Standard  outlines  the  requirements  that  must  be 
met  by  meat  processing  plants.  Historically,  public  health  inspectors  inspected 
all  provincially  regulated  meat  facilities.  Starting  in  2000.  Agriculture's  meat 
inspectors  began  to  enforce  the  Standard    meat  facilities  attached  to 
provincially  regulated  slaughter  facilities. 

Broadly  speaking,  the  Canadian  Food  Inspection  Agency  (CFIA)  conducts  two 
types  of  inspections.  First,  it  registers  and  inspects  facilities  that  qualify  under 
its  federal  meat,  eggs  or  other  legislation.  These  are  federally  registered 
facilities  and  the  CFIA's  inspections  are  comprehensive.  Second,  the  CFIA  has 
narrower  inspection  responsibilities  under  other  federal  legislation.  For 
example,  the  CFIA  may  inspect  food  establishments  specifically  for  labeling  or 
export  certification  purposes.  These  are  not  full  inspections,  nor  are  all  the 
facilities  inspected  under  these  programs  federally  registered. 


Criteria:  the  standards  we  used  for  our  audit 

Agriculture,  Health  and  AHS,  together  with  other  food  safety  regulators,  should 
identify  overlaps  and/or  gaps  in  the  food  safety  continuum.  Higher  risk  food 
establishments  that  operate  in  the  void  left  by  overlaps  or  gaps  should  be 
identified  and  corrected  promptly  and  effectively. 
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No  action  taken 
on  facilities 
identified  in  2006 


Our  audit  findings 
Mobile  butchers 

When  we  reported  in  2006,  meat  inspectors  with  Agriculture  had  identified 
20  mobile  butchers'  facilities  with  food  safety  issues.  Agriculture  had  passed 
that  information  along  to  Health.  Coordination  stalled  at  that  point  as  the  public 
health  inspectors  in  the  health  regions  were  never  alerted  to  these  problem 
facilities.  As  far  as  we  can  determine,  no  further  regulatory  actions  were  taken 
with  these  20  facilities. 


Review  done  by 
Agriculture  on  56 
facilities 


Issues  at  mobile 
butcher  facilities 
not  corrected 


To  address  this  situation,  Agriculture  and  Health  planned  to  transfer  regulatory 
jurisdiction  for  the  facilities  from  AHS  to  Agriculture.  In  preparation  for  this 
switch,  Agriculture  had  a  consultant  conduct  "an  onsite  baseline  food  safety 
assessment  of  each  of  these  freestanding  meat-processing  facilities"23  in  spring 
2008.  For  these  reviews,  the  consultant  invited  both  AHS  and  Agriculture  staff 
to  attend.  The  consultant  reviewed  all  56  known  mobile  butchers'  facilities  and 
found: 

•  24  of  56  facilities  did  not  demonstrate  a  standard  of  overall  acceptable 
cleanliness 

•  30  of  56  facilities  employed  workers  that  did  not  follow  proper  personal 
hygiene  and  food  handling  practices 

•  1 0  of  56  facilities  produced  either  fermented  or  dry  cure  sausages — there 
were  no  process  control  records  in  place  for  these  products.  Fermented  and 
dry  cure  sausages  are  considered  high-risk  products 

Jurisdiction  over  mobile  butchers  changed  in  April  2009.  At  the  time  of  our 
follow-up  field  audit  work,  mobile  butchers  were  operating  as  they  had  when 
we  reported  in  2006.  As  of  June  2009,  Agriculture  has  started  inspecting  the 
mobile  butchers'  permanent  shops  as  well  as  their  trucks.  Agriculture  intends  to 
use  the  findings  of  the  spring  2008  review  as  the  basis  for  a  new  initiative  to 
inform  and  educate  mobile  butchers. 


Increased 
inspection  of  meat 
facilities 


Meat  Facility  Standards 

Agriculture's  Regulatory  Service  Division  (RSD)  developed  a  new  inspection 
worksheet  for  meat  inspectors  that  covers  22  points  from  the  Meat  Facility 
Standards.  Now  inspectors  examine  facility  documentation  and  aspects  of 
facility  maintenance  along  with  their  regular  inspection  of  animals.  Agriculture 
also  introduced  the  Red  Meat  Facility  Audit  in  2008.  Every  red  meat  facility  is 
audited  three  times  a  year;  two  are  "partial"  audits  and  one  is  "full."  The 
Facility  Audit  procedures  test  compliance  with  all  elements  of  the  Meat  Facility 
Standard.  Facilities  receive  a  score  from  the  audit  and  results  are  shared  with 


23  Alberta  Agriculture's  Regulatory  Services  Division's  internal  document,  Mobile  Butcher  Jurisdictional  Change 
Deployment  Project  -  Third  Party  Food  Safety  Assessments,  p.  1 . 
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the  facility  operator.  On  average  across  the  province,  scores  for  meat  facilities 
have  risen  from  54%  to  75%,  indicating  improved  food  safety  practices. 


Problems  still 
exist 


Meat  facility 
inspections  by 
AHS  are 
infrequent 


However,  our  audit  testing  indicates  that  a  small  number  of  facilities  continue 
to  operate  despite  long  histories  of  poor  compliance  with  the  Meat  Facility 
Standard.  For  example,  in  the  Edmonton  region  we  looked  at  the  history  of  five 
facilities  with  poor  inspection  results.  Problems  like  poor  records  management, 
facility  disrepair,  and  inappropriate  staff  activities  compounded  to  give  these 
facilities  low  scores.  While  this  is  the  first  year  of  the  audit  process,  these 
problems  are  not  new  to  these  operators.  One  facility  happened  to  be  a  file 
sample  from  our  2006  audit;  the  serious  issues  recorded  in  2006  continue  today. 
Agriculture  has  not  moved  up  the  compliance  ladder  with  this  and  other 
facilities  despite  ongoing  food  safety  risks. 

We  discussed  earlier  the  issue  with  the  frequency  of  AHS's  food  establishment 
inspections.  To  compound  this  issue,  AHS  does  not  inspect  meat  facilities  as 
frequently  as  restaurants.  It  may  be  years  between  inspections  of  AHS- 
regulated  meat  facilities. 


Inventory  of 
non-federally 
registered 
facilities  has 
begun 


Non-federally  registered 

As  we  reported  in  2006,  the  federal  and  provincial  participants  need  to 
inventory  the  non-federally  registered  facilities.  The  natural  choice  of 
coordinating  group  is  CAPiFS  because  it  includes  representatives  from  Health 
Canada,  the  Canadian  Food  Inspection  Agency,  Agriculture,  Health  and  AHS. 
Meeting  minutes  show  that  CAPiFS  began  to  compile  the  inventory  in 
January  2009.  CAPiFS  is  still  months  away  from  completing  the  inventory; 
actual  inspection  and  regulation  of  facilities  are  still  in  the  future. 


Implications  and  risks  if  recommendation  not  implemented 

Without  timely  action  on  known  food  safety  issues,  food  safety  regulators 
accept  an  increased  risk  to  Albertans'  health.  If  regulators  do  not  resolve 
jurisdictional  and  information  sharing  issues,  food  establishments  may  not  be 
routinely  and  fully  inspected.  Poor  food  safety  practices  in  these  establishments 
may  not  be  detected. 

4.10  Accountability — recommendation  repeated 

We  have  repeated  this  recommendation,  first  made  as  Key  Recommendation 
No.  12  in  our  2005-2006  Annual  Report  (vol.  1 — page  105).  The  actual 
reporting  available  to  the  Legislature  and  people  of  Alberta  has  not  materially 
improved  since  we  reported  our  results  in  October  2006. 
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Joint 

accountability 


Health  had  little 
information  in 
2006 


Agriculture  had 
performance 
measures  and 
strategies 


Recommendation  No.  13 — repeated 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and 
Agriculture  and  Rural  Development  improve  reporting  on  food  safety  in 
Alberta. 

Background 

In  our  2005-2006  Annual  Report,  we  discussed  the  issue  of  joint  accountability 
in  an  environment  of  shared  responsibility  for  the  food  safety  continuum.  There 
was  no  system  where  joint  accountability  could  be  worked  out. 

Food  safety  is  a  component  of  the  environmental  health  divisions  at  Health  and 
AHS.  In  2006,  Health  had  little  coordinated  information  about  environmental 
health  planning,  performance  or  outcomes.  Health  did  not  have  systems  to 
collect  consistent,  relevant  data  that  could  be  used  to  report  to  legislators  and 
the  public.  Interested  parties  could  not  determine  the  effectiveness  of 
environmental  health  initiatives. 

The  situation  at  Agriculture  was  different  because  food  safety  is  a  Ministry 
goal.  Agriculture  included  strategies  and  performance  measures  for  its  food 
safety  goal.  We  noted  that  Agriculture's  performance  measurement  around 
surveillance  projects  and  HACCP  could  improve. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministers  of  Health  and  Agriculture  should  be  able  to  demonstrate 
accountability  for  the  integrated  food  safety  program  in  Alberta.  In  addition, 
individual  entities  should  also  be  accountable  for  their  specific  food  safety 
mandate.  Each  entity  should  contribute  to  integrated  accountability  by  reporting 
on  its  operations  (e.g.,  cost  and  outputs)  and  effectiveness  (meeting  objectives). 
Reporting  should  include  quantifiable  performance  measurement  where 
possible.  The  entities  should  use  the  accountability  process  to  enhance  program 
design  and  delivery. 


Cross-ministry 
work  has  begun 
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Our  audit  findings 

Health  and  Agriculture  have  made  some  progress  in  laying  the  foundation  for 
food  safety  accountability.  We  have  described  how  the  Ministries  coordinate 
strategic  work  through  CAPiFS  and  have  worked  to  develop  both  a  National 
Strategy  for  Safe  Food  and  an  Alberta  Food  Safety  Strategy.  The  Alberta  Food 
Safety  Strategy,  subtitled  Building  the  Integrated  Food  Safety  Strategy, 
identifies  ten  prioritized  strategic  initiatives  for  the  province.  Amongst  the  ten 
initiatives,  accountability  is  the  fourth  highest-ranked  and  addresses  two  related 
issues.  First,  roles  and  responsibilities  need  to  be  clarified  as  we  discussed  in 
sections  4.8  and  4.9.  Second,  participants  should  demonstrate  the  effectiveness 
of  the  food  safety  system. 
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But  no  approval  or 
implementation 


No  change  in 
reporting  at  Health 


Accountability 
systems  exist  at 
Agriculture 


As  participants  have  neither  approved  nor  implemented  the  Alberta  Food  Safety 
Strategy,  integrated  cross-ministry  accountability  for  food  safety  has  not  yet 
progressed. 

The  Environmental  Public  Health  Strategic  Plan  \s  fourth  recommendation 
deals  with  the  development  of  indicators  and  outcomes,  w  hile  the  fifth 
promotes  "the  need  for  an  annual  environmental  public  health  report."  As  food 
safety  is  an  important  part  of  environmental  health,  Health  will  be  able  to 
demonstrate  accountability  once  participants  implement  the  Strategic  Plan.  At 
present,  information  systems,  central  monitoring  of  results,  and  public  reporting 
are  unchanged  since  2006.  We  conclude  that  accountability  for  food  safety  has 
not  improved  at  Health. 

In  its  annual  reports.  Agriculture  provides  extensive  information  about  its  food 
safety  goal.  The  2007-2008  Report  discloses  the  cost  of  its  food  safety 
activities  and  describes  how  Agriculture  addressed  its  seven  related  strategics. 
Agriculture's  food  safety  performance  measures  are  evolving.  It  now  has  t\\  o 
performance  measures,  one  related  to  red  meat  facilities  and  another  about 
industry  adoption  of  HACCP.  Agriculture's  reporting  is  the  most 
comprehensive  of  the  material  now  available  about  food  safety  in  Alberta. 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  system  to  coordinate  accountability  for  food  safety,  the  Ministries 
will  not  be  able  to  demonstrate  the  effectiveness  of  their  actions  in  an 
environment  of  shared  responsibilities.  Individual  participants  also  need 
systems  to  demonstrate  the  effectiveness  of  their  own  food  safety  activities. 
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Summary 

What  we  examined 

A  Government  of  Alberta  goal  is  "Alberta  will  be  a  sale  place  to  live,  work  and 
raise  families."1  The  Alberta  Transportation  2008  201 1  business  plan  supports 
this  with  a  goal  that  "Alberta  has  the  safest  and  most  efficient  road  and  rail 
systems  in  C  anada."'' 


Transportation 
does  roadside 
inspections  of 
commercial 
\  chicles 


Commercial  vehicles  play  a  vital  role  in  Alberta's  economy.  By  monitoring  and 
enforcing  safety  standards  for  Alberta's  120,000  commercial  v  ehicles  registered 
for  our  roads,  the  Department  of  Transportation  promotes  road  safety  w  hile 
acknowledging  the  commercial  nature  of  the  industry.  Our  audit  objective  was 
to  examine  and  evaluate  the  systems  used  by  the  Department  to  monitor  and 
enforce  commercial  vehicle  safety  programs  through  its  roadside  inspection 
program. 


High  cost  of 
collisions 


Why  it  is  important  to  Albertans 

Increasing  volumes  of  vehicles  and  collisions  continue  to  be  a  source  of 
concern  to  industry,  regulators,  and  the  general  public.  Commercial  vehicle 
collisions  result  in  substantial  direct  and  indirect  costs.  The  Department 
estimates  that  for  2008,  the  cost  of  reported  collisions  involving  at  least  one 
commercially  registered  truck"  was  over  $1 .7  billion.  The  cost  of  a  fatal 
collision  could  reach  $15  million;  typical  injury  collisions  averaged  about 
$120,000  and  property  damage  collisions  averaged  $8,000.  In  2007.  there  w  ere 
107  fatal  collisions  in  Alberta  involving  at  least  one  commercially  registered 
truck.  In  2008,  there  were  9 1  / 


Well  designed 
s\  siems  to 
conduct  roadside 
inspections 


What  we  found 

The  Department  has  well-designed  systems  to  monitor  and  enforce  commercial 
vehicle  mechanical  safety  issues.  All  commercial  v  ehicles  arc  inspected 
annually  by  a  certified  inspector,  and  about  18,000  of  them  are  more  stringently 
re-examined  at  roadside  or  at  weigh-scales  during  a  year.  Further,  the 
Department  employs  continuous  quality  improvement  principles  by 
re-examining  aspects  of  their  various  programs,  such  as  Safety  Fitness 
Certificates  and  progressive  discipline  sanctions.  Also,  in  2008  the  Department 
undertook  an  extensive  project  to  examine  the  causes  of  Out-of-Service  (OOS) 
vehicles.  An  OOS  vehicle  is  one  that  an  inspector  has  deemed  unlit  to  continue 


Budget  2008.  The  Right  Plan  for  Today  and  Tomorrow,  Government  of  Alberta  Strategic  Business  Plan 
"  Vehicle  weight  over  4,500  kilograms 
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without  the  correction  of  an  identified  issue.  The  OOS  project  developed  seven 
themes4  and  made  recommendations  for  strategies  to  address  its  findings. 


Opportunities  to 
improve  system 


Majority  of 
collisions  due  to 
driver  beha\  ior 
not  mechanical 
condition 


However,  during  our  audit,  we  found  opportunities  for  improvement: 

•  In  addition  to  annual  inspections,  the  Department  inspects  approximately 
15%  of  commercial  vehicles  and  drivers  and  collects  some  information  on 
all  carriers.5  Although  this  volume  may  be  statistically  appropriate,  the 
Department  doesn't  have  a  process  to  identify  the  trucks  and  drivers  it  has 
not  inspected,  or  a  process  to  identify  the  high-risk  ones  that  it  should. 

•  Inspection  information  processing  is  not  timely,  and  relevant  information  is 
not  always  available  at  roadside  to  assist  in  subsequent  inspections. 

•  Camers  can  operate  with  identified  safety  issues  indefinitely  without 
significant  enforcement  action. 

•  Over  85%  of  commercial  vehicle  collisions  with  an  identified  cause  have 
been  identified  as  resulting  from  driver  behaviour,  rather  than  mechanical 
failure.  Professional  driver  and  safety  training  is  available,  but  not 
mandatory  for  a  licence  to  operate  a  commercial  vehicle. 


Need  to  strengthen 
processes  and  use 
data  better 


What  needs  to  be  done 

The  Department  has  demonstrated  that  they  are  examining  their  processes  and 
identifying  potential  changes  to  their  systems.  We  make  three  recommendations 
to  support  these  efforts.  We  recommend  that  the  Department: 

•  develop  risk-based  methods  for  selecting  vehicles  for  inspection  and 
improve  the  quality  of  information  available  to  inspectors  at  roadside 

•  strengthen  enforcement 

•  use  data  better  to  develop  strategies  and  performance  measures 

2.  Audit  objectives,  scope  and  approach 

Our  objective  was  to  examine  and  evaluate  the  systems  used  by  the  Department 
of  Transportation  to  monitor  and  enforce  commercial  vehicle  safety  programs. 
We  examined  how  legislation  and  safety  requirements  are  communicated,  how 
inspection  results  are  collected  and  recorded,  how  results  are  analyzed  to  affect 
operations,  enforcement  activities  and  how  the  monitoring  and  enforcement 
systems  are  measured.  We  examined  activities  undertaken  by  the  Department  in 
2007  and  2008. 


4  Themes  are:  understanding  and  awareness,  data  collection,  branch  coordination,  inconsistent  application  of  policy, 
inter-jurisdictional  coordination,  use  of  technology  and  human  resources 

5  A  "carrier"  is  a  company  operating  a  single  or  a  fleet  of  commercial  vehicles. 
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3.  Overview 

The  Department's  activities  include  regulating  commercial  vehicles  that  operate 
in  Alberta  and  enforcing  safety  standards.  During  the  2008  2009  fiscal  year, 
the  Department  spent  over  SI  1 .3  million  on  programs  to  enforce  commercial 
truck  safety.6  There  are  two  types  of  commercial  trucks  subject  to  enforcement: 

•  weighing  over  4.500  kilograms  and  travel  out-of  or  pass  through  Alberta 

•  weighing  over  1 1,794  kilograms  and  operate  exclusively  in  Alberta 

The  Department  is  developing  a  new  model  to  estimate  direct  and  indirect 
social  costs  of  collisions  for  Alberta.  Preliminary  estimates  of  this  model  for 
2008  collisions  involving  at  least  one  commercially  registered  truck  totaled 
over  $1 .7  billion.  The  cost  of  a  fatal  collision  could  be  $15  million:  injury 
collisions  may  exceed  $120,000  and  property  damage  collisions  averaged 
S8.000.  Effective  programs  to  reduce  the  incidence  and  magnitude  of  trucking 
collisions  may  have  significant  economic  and  social  benefits. 


Joint  federal/ 

provincial 

responsibilities 


Legislative  Requirements 

The  Department  monitors  commercial  vehicles  pursuant  to  Alberta's  Traffic 
Safely  Act.  The  Government  of  Canada  is  responsible  for  monitoring  federal 
carriers8  licenced  in  Alberta  and  delegates  this  responsibility  to  Alberta 
pursuant  to  the  Motor  Vehicle  Transport  .lei'  (MVTA  Canada).  The  MVTA 
(  anada  requires  provinces  to  enforce  the  National  Safety  Code  (NSC)  for 
federal  carriers.  Alberta  entered  into  an  agreement  with  Transport  Canada  in 
2005  to  implement  the  National  Safety  Code  for  federal  carriers  and  report 
annually  on  its  progress. 


Federal  carriers 
operate 
throughout 
Canada 

Provincial  carriers 
operate  in  Alberta 


The  NSC  requires  commercial  vehicles  to  have  a  Safety  Fitness  Certificate. 
Alberta  regulates  carriers  that  travel  within  the  province  as  well  as  federal 
carriers.  Alberta  issues  two  types  of  Safety  Fitness  Certificates: 

•  Federal  operating  status — for  vehicles  that  operate  throughout  Canada  and 
internationally  and  weigh  more  than  4,500  kilograms.  These  vehicles  are 
the  size  of  a  large  pick-up  truck  such  as  those  often  used  by  welders  and 
other  trades  people  in  the  oil  and  gas  industry. 

•  Provincial  operating  status — for  vehicles  that  operate  only  in  Alberta  and 
weigh  more  than  1 1,794  kilograms.  These  vehicles  are  single  load  vehicles 
such  as  gravel  trucks  and  large  trucks  that  pull  trailers  and  have  multiple 
axles. 


We  exclude  buses  from  this  audit  and  these  figures  as  they  are  monitored  under  a  different  set  of  regulations. 

7  R.S.A.  2000,  c.T-6;  Alberta  inspects  both  provincial  and  federal  carriers. 

8  A  federal  carrier  operates  inter-provincially  and  internationally. 

9  R.S.C.  1985.  c.  29(3rdSupp.) 
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Yearly  safety 
inspection  for  al 
commercial 
vehicles 


The  Alberta  Commercial  Vehicle  Safety  Regulation10  came  into  effect 
July  1,  2009.  The  Alberta  regulations  were  updated  to  ensure  they  are 
consistent  with  current  Canadian  and  North  American  standards.  The  new 
regulations  are  the  result  of  a  multi-year  review  of  commercial  vehicle  safety 
and  equipment  regulations.  This  review  involved  extensive  consultation  with 
commercial  vehicle  stakeholders  including  industry,  municipal  and  safety 
organizations.  The  Department  uses  bulletins,  its  website  and  communications 
through  industry  partners  to  inform  carriers  of  changes  to  the  Regulation. 

Annual  vehicle  inspections  and  permits 

All  commercial  vehicles  must  be  inspected  annually  by  a  certified  inspector. 
We  audited  this  annual  process  in  2004.  The  results  of  that  audit  are  in  our 
2003-2004  Annual  Report  at  pages  301  to  307.  Carriers  can  also  apply  for  one 
of  1 8  permits  allowing  them  to  work  outside  of  standard  operating  constraints, 
such  as  extended  driver's  hours  of  service,  livestock  feed  relief  exemption,  oil 
and  gas  well  service  vehicles  or  cargo  insurance  exemption.  We  did  not  audit 
the  permit  application  and  granting  process. 


Carriers  must 
certify  they  are 
safe 


Safety  Fitness  Certificates 

A  Safety  Fitness  Certificate  (SFC)  is  needed  to  register  a  commercial  vehicle 
that  requires  inspection.  This  includes  both  Alberta-only  vehicles  weighing 
over  1 1 ,794  kilograms  and  federally  operated  vehicles  over  4,500  kilograms. 
The  applicant  must  confirm  that  they  possess  comprehensive  knowledge  of 
safety  laws  in  their  jurisdiction,  have  a  written  safety  and  maintenance  plan, 
have  designated  person(s)  to  manage  the  plans  and  are  insured. 

Upon  registration,  the  applicant  receives  a  60-day  temporary  certificate.  During 
that  period  they  receive  a  package  outlining  the  NSC  requirements  and  are 
required  to  submit  documentation  demonstrating  that  they  comply. 

Successful  applicants  receive  a  Satisfactory-Unaudited  Safety  Fitness 
Certificate.  The  status  of  this  certificate  can  change  over  time  depending  on  the 
results  of  subsequent  inspections.  An  unsatisfactory  inspection  result  can  lead 
to  a  carrier  being  required  to  stop  operating. 


New  carriers 
often  lack 
understanding  of 
safety  issues 


The  Department  found  that  under  the  current  SFC  application  process  new 
carriers  demonstrated  a  lack  of  understanding  of  regulations  at  roadside  and 
often  failed  audits.  The  Department  is  developing  a  strategy  to  strengthen  the 
application  process.  Any  upcoming  changes  that  may  occur  to  this  process  do 
not  form  part  of  this  audit. 
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Roadside 
inspections  in 
addition  to  annual 
safety  checks 


Roadside  inspections 

In  addition  to  annual  vehicle  inspections,  the  Department's  C  ommercial 
Vehicle  Enforcement  Branch  (Enforcement)  is  responsible  for  on-road  vehicle 
inspections  in  the  province.  The  Department  operates  19  fixed  and  a  variable 
number  of  mobile  roadside  inspection  units.  Enforcement's  role  is  to  attempt  to 
modify  industry  behaviour  through  the  use  of  progressive  sanctions. 


Inspectors  use  the  Commercial  Vehicle  Safety  Alliance  (CVS A)  criteria  to 
inspect  both  federally  and  provincially  licenced  commercial  vehicles,  and  their 
drivers.  The  CVS  A  is  a  not-for-profit  organization  that  establishes  the 
commercial  vehicle  enforcement  criteria  used  by  all  government  inspection 
programs  within  North  America."  There  are  seven  levels  of  CVSA  inspection. 
Levels  1  and  2  are  the  most  comprehensive,  and  assess  both  the  vehicle  and 
driver  against  multiple  criteria.  The  remaining  levels  focus  on  either  the  vehicle 
or  the  driver,  are  specific  to  dangerous  goods,  a  jurisdictional  concern  or  are 
focused  in  support  of  a  study.  Transport  Canada  requires  all  provinces  and 
territories  to  share  the  results  of  CVSA  inspections  for  federal  carriers  w  ith  the 
province  in  which  the  vehicle  is  registered. 

A  CVSA  inspection  has  three  potential  outcomes: 

•  pass 

•  requires  attention 

•  out-of-service  (OOS) 


Failed  inspections 
may  result  in 
vehicle  taken 
out-of-service 


Requiring  attention  means  an  issue  is  to  be  corrected  at  the  conclusion  of  the 
current  trip  while  OOS  means  correction  is  needed  before  the  v  ehicle  and/or 
driver  continues. 

•  if  a  vehicle  is  placed  OOS.  an  out-of-service  sticker  is  applied  to  the 
vehicle 

•  proof  of  repairs  must  be  reported  to  a  peace  officer  before  a  v  ehicle  placed 
OOS  can  be  operated 

•  peace  officers  will  not  release  vehicles  from  an  OOS  order  until  all 
required  repairs  have  been  satisfactorily  completed 

•  if,  at  the  discretion  of  the  officer,  it  is  less  hazardous  to  the  public  to 
relocate  the  vehicle,  it  shall  be  towed,  transported,  or  escorted  to  the 
nearest  safe  location 

•  vehicles  or  drivers  placed  OOS  will  be  issued  a  ticket(s)  for  defcct(s)  at  the 
discretion  of  the  peace  officer 


"  Executive  Committee  Position  Responsibilities  Revised  February  14.  2007.  1996  2007  Commercial  Vehicle  Safet} 
Alliance 
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Traffic  Violation 
Reports  may  be 
issued 


Another  tool  available  to  inspectors  is  a  Traffic  Violation  Report  (TVR)  to 
report  issues  found  which  are  not  covered  by  the  CVSA  inspection.  Both  types 
of  inspection  forms  are  forwarded  to  the  central  office  in  Red  Deer,  Alberta 
where  they  are  batched  and  sent  to  a  service  provider  for  data  entry  into  the 
Department's  Motor  Transport  Information  System. 


Inspectors  are 
trained  peace 
officers 


All  inspectors  are  peace  officers  and  can  issue  violation  tickets.  Officers  are 
trained  in  a  seven-day  "Hours  of  Service"  course,  then  a  two-week  CVSA 
course.  The  first  week  of  CVSA  covers  drivers  licensing  requirements  and 
hours  of  service;  the  second  week  is  a  theory  and  practical  mechanical  portion. 
On  the  job  training  consists  of  being  partnered  with  a  senior  inspector  for 
thirty-two  Level  1  inspections — their  last  two  inspections  are  supervised  by  a 
certified  CVSA  instructor  before  the  trainee  is  advanced.  The  Department 
requires  officers  to  complete  at  least  120  Level  1  inspections  annually.  The 
CVSA  standard  requires  only  32.  Inspections  are  recorded  from  the  vehicle  at 
roadside  and  in  weigh-stations. 


Carrier  profiles  and  risk  factor  analysis 

A  carrier  profile  reports  a  carrier's  history  of  convictions,  inspections  and 
collisions  using  information  provided  by  inspectors,  law  enforcement  and  other 
government  agencies.  The  profiles  are  accessible  to  the  carriers  and  are  used  by 
the  Department  branches.  The  most  detailed  version  of  the  profile  has  ten 
sections  and  provides  comprehensive  information  allowing  the  reader  to 
pinpoint  the  types  of  issues  a  carrier's  operation  is  encountering. 


Carriers  are 
assigned  a  Risk 
Factor 


Every  carrier  profile  assigns  a  Risk  Factor  (R-Factor).  The  R-Factor  is  a 
statistically  generated  value  that  incorporates  a  carrier's  fleet  size,  convictions, 
collisions  and  CVSA  results.  For  example,  if  the  profile  indicates  that  the 
R-Factor  for  that  carrier  is  made  up  of  33%  collisions,  33%  inspection  issues 
and  33%  convictions  then  the  carrier  has  to  work  on  all  three  areas  of  their 
operation.  If  on  the  other  hand  the  factors  are  75%,  15%  and  10%,  the  carrier  is 
given  a  clear  signal  to  focus  on  reducing  collisions.  Carriers  can  download  their 
profile  through  a  secure  website.  For  large  fleet  operators  it  is  very  valuable  as 
it  provides  all  incident  details,  allowing  them  to  identify  issues  with  equipment, 
drivers  and  practices. 


Department 
identifies  worst 
5%  of  carriers 


"On-monitoring"  status  and  progressive  sanctions 

National  Safety  Code  standards  require  the  Department  to  take  corrective  action 
with  the  worst  5%  of  all  carriers  in  the  province.  The  Department  uses  the 
R-Factor  to  identify  this  group.  Once  identified,  the  carrier  is  placed 
"on-monitoring." 
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at  why 
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recommendations 
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For  carriers  placed  "on-monitoring,"  the  Department's  computer  system 
automatically  sends  the  carrier  a  package  that  includes  their  profile  and 
information  on  compliance  in  Alberta.  The  cover  letter  informs  the  carrier  that 
"being  at  any  monitoring  stage  is  not  acceptable....  Failure  to  address 
non-compliance  issues  within  a  reasonable  time  will  result  in  the  Department 
taking  any  actions  it  considers  necessary  including  requiring  an  audit  be 
conducted  and  submitted:  downgrading  rating;  non-support  of  safety  permits 
and  licences;  assigning  conditions  to  complete;  attending  a  hearing  with  a 
review  committee;  issuing  an  administrative  penalty." 

Currently  the  progressive  sanctions  procedures  are  under  review  and  potential 
changes  may  make  better  use  of  administrative  penalties  and  withdraw  al  of 
permits.  The  proposed  changes  take  a  carrier's  ability  to  comply  into 
consideration,  but  with  less  tolerance  for  systemic  non-compliance. 

Commercial  Vehicle  Enforcement  Plan 

The  Commercial  Vehicle  Enforcement  Plan  focuses  on  four  key  initiatives: 

•  enhanced  enforcement  efforts 

•  communication,  education,  public  awareness  and  public  relations 

•  improved  data  quality 

•  improved  communication-collaboration  with  partners 

The  Plan  was  developed  with  input  from  senior  management  from  the 
Department's  seven  regions.  Members  of  the  planning  team  identified  several 
barriers  to  ongoing  operations,  including  having  sufficient  time  and  human 
resources,  the  quantity  of  commercial  vehicles  on  the  roads,  data  collection 
requirements  and  maintaining  consistent  behaviour  and  documentation  between 
regions.  The  planning  objectives  and  processes  were  developed  with  these 
challenges  in  mind. 

In  December  2008,  the  Department  released  "Commercial  Vehicle 
Out-of-Service  Rate  Analysis  Project"  (OOS  Project).  This  year-long  project 
examined  why  out-of-service  rates  exceed  35%  of  vehicles  inspected  roadside. 
The  report  identifies  the  following  key  issues: 
understanding  and  awareness 
data  collection 
branch  coordination 
inconsistent  application  of  policy 
inter-jurisdictional  coordination 
use  of  technology  and  human  resources 

The  report  makes  recommendations  and  surveys  13  other  jurisdictions  in 
Canada  and  the  United  States. 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


123 


Transportation 


Commercial  Vehicle  Safety 


At  July  31,  2009,  ten  OOS  Project  recommendations  have  been  assigned  to 
leadership  teams  for  implementation.  The  balance  has  been  distributed  to  the 
appropriate  branches  for  evaluation  and  planning  for  implementation.  The  OOS 
Project  focuses  specifically  on  ways  to  decrease  out-of-service  rates.  The  OOS 
Project  and  our  audit  reached  similar  conclusions  in  many  respects. 

4.  Findings  and  recommendations 

4.1  Inspection  tools  and  vehicle  selection 
Recommendation 

We  recommend  that  the  Department  of  Transportation  improve  its 
inspection  capability  by  incorporating  risk  analysis  into  the  selection  of 
vehicles  for  roadside  inspection  and  increasing  the  amount  of  information 
available  at  roadside. 


Commercial 
vehicles  must  stop 
and  report 


Background 

All  commercial  vehicles  over  4,500  kilograms  are  required  to  stop  and  report  if 
passing  a  weigh  scale.  If  a  vehicle  is  empty  it  still  must  come  into  the  scale  but 
can  pass  by  the  inspection  window  in  the  outside  lane  and  not  be  weighed. 
Typically,  one  or  two  officers  monitor  traffic  from  the  station  with  a  separate 
team  conducting  inspections.  On  average  a  Level  1  inspection  takes  30  to  40 
minutes  with  between  six  and  eight  inspections  typically  conducted  during  an 
eight  hour  shift.  Evening  shifts  employ  one  or  two  staff  that  either  monitor  the 
scales  or  conduct  inspections. 


At  June  30,  2009  there  were  22,443  carriers  in  Alberta,  operating  about  120,000 
vehicles  in  total.  1,500  of  these  carriers  are  "on-monitoring"  of  which  712  or 
47%  are  one  truck  carriers. 


Thermal  imaging 
units  help  look  for 
mechanical  faults 


The  Department  has  thermal  imaging  units  at  weigh  scales  situated  at  Balzac, 
Leduc  and  Grand  Prairie.  The  units  take  thermal  images  of  trucks  as  they 
approach  the  weigh  scale.  If  the  unit  identifies  a  vehicle  that  has  unusually  hot 
brakes,  exhaust  or  other  component,  the  vehicle  will  be  detained  and  inspected. 
Thermal  imaging  units  are  moved  around  the  province  periodically  for  regional 
initiatives. 


Some  information  Inspectors  have  computer  access  to  some  information  about  the  vehicle  they  are 

examining  through  a  computer  application  called  the  VIS  Dashboard.  It 

available  at  °         °  r  rr 

roadside  displays  data  about  a  particular  vehicle  from  three  databases,  such  as: 

•  registration  and  vehicle  identification  number 

•  permit  information  if  applicable 

•  carrier  safety  rating  if  available 
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•  date  of  last  CVSA  inspection  and  high-level  result  of  Pass.  Requires 
Attention  or  OOS 

•  expiry  date  of  the  annual  inspection 


Inspectors  are  also 
mobile  and  stop 
vehicles  in 
random  locations 


Mobile  inspection  takes  a  different  approach.  The  officer  will  sit  at  roadside 
and  visually  inspect  trucks  as  they  drive  by.  Officers  may  look  at  the  annual 
inspection  sticker  whose  shape  will  indicate  when  the  last  annual  inspection 
was  done,  signs  indicating  what  the  truck  is  carrying,  assess  if  it  is  full  or 
empty,  if  the  load  is  secure  and  generally  use  professional  judgment  w  hether 
the  vehicle  should  be  inspected. 


When  an  officer  inspects  a  vehicle  using  this  process,  both  CVSA  and  the 
Traffic  Violation  Reports  are  filled  out  by  hand  and  retained  for  submission  to 
the  Red  Deer  central  office  for  processing.  After  explaining  the  results  of  the 
inspection,  the  driver  is  presented  with  a  copy. 

Insurance  or  registration  violations  can  result  in  a  regulatory  shutdown  for  a 
carrier.  The  registration  system  is  accessible  roadside  to  facilitate  this  part  of 
the  inspection. 

While  inspectors  have  some  information  on  the  vehicle  via  the  VIS  Dashboard, 
it  is  not  detailed  enough  to  tell  them  w  hat  issues  may  have  existed  the  last  time 
it  was  inspected. 


Data  entry 
processes  could 
improve 


Other  than  one  field  on  the  VIS  Dashboard,  there  is  no  electronic  submission  or 
entry  capability  of  inspection  details  at  roadside.  The  process  of  entering 
inspections  results  into  the  computer  system  follows  days  afterward  and  is  done 
by  personnel  not  present  at  the  inspection.  Some  interpretation  of  results  may 
be  required. 


Criteria:  the  standards  we  used  for  our  audit 

Monitoring  should  influence  operational  decisions,  including  but  not  limited  to 
choosing  inspection  locations,  inspection  times,  and  focusing  on  trends  brought 
forward  through  analysis  of  the  data  they  collect.  Inspection  results  should  be 
recorded  in  an  accessible  manner,  appropriately  distributed  and  monitored  on  a 
timely  basis. 


No  analysis  on 
which  carriers 
have  not  been 
inspected 


Our  audit  findings 

Currently  the  Department  conducts  no  analysis  to  identify  carriers  or  vehicles 
that  have  not  had  a  roadside  inspection.  The  carrier  profile  captures  inspection 
information,  the  absence  of  which  when  calculating  the  R-Factor  would 
indicate  that  no  inspection  has  been  done  for  that  carrier. 
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We  reviewed  96  inspection  documents  and  related  computer  records  from  2008. 
All  were  from  either  Level  1  or  2  inspections  from  routine  activities.  We  also 

1  2 

analyzed  data  of  all  inspection  records  for  the  calendar  year  2007. 


Roadside 
inspections  are 
resulting  in 
deficiencies  being 
corrected 


Results  of 
inspections  are 
paper-based 


Roadside 
inspection  data 
may  take  several 
weeks  to  reach 
computer  system 


New  software 
tested,  but  no 
consensus  for 
stakeholders  on 
success 


We  found: 

121,414  registered  commercial  vehicles 
17,755  or  about  15%  had  been  inspected  roadside 
3,822  of  the  17,755  had  been  inspected  more  than  once 
73%  were  comprehensive  Level  1  or  2  inspections 
48%  of  inspections  identified  one  or  more  defect 

85%  of  the  vehicles  inspected  more  than  once  were  able  to  correct  issues 
between  inspections,  suggesting  that  the  inspection  process  is  effective 


We  attended  inspections  at  the  Leduc,  Alberta  weigh  station  and  on  mobile 
patrol.  At  Leduc  we  observed  Level  1  inspections;  on  patrol,  we  observed  an 
inspector  complete  Level  3  inspections  consisting  of  a  full  document  check, 
including  driver's  log  review,  and  a  visual  examination  of  the  vehicle.  During 
our  observation,  the  patrol  assessed  no  need  for  Level  1  inspections  though 
patrol  vehicles  are  properly  equipped  to  do  so  if  the  inspector  chooses.  In  all 
cases,  inspectors  filled  out  paper  forms  after  their  examinations  of  vehicles. 
Inspectors  do  not  have  access  to  an  inspection  history  of  the  vehicle, 
driver/carrier  profiles. 

We  found  that  it  can  take  up  to  eight  weeks  for  inspection  information  to  be 
entered  into  the  Department's  database.  This  delay  can  occur  for  several 
reasons.  The  inspector  may  have  issued  a  "requires  attention"  ticket  and 
retained  the  inspection  report  until  the  carrier  returned  documentation 
indicating  that  they  had  addressed  the  problem.  Delays  may  occur  in 
transporting  the  documents  from  the  field  to  Red  Deer  and  then  to  the  entry 
clerks  in  Edmonton.  Volume  can  also  affect  entry  times  by  collecting  reports 
over  time  for  batch  entries. 

In  2006,  Alberta,  in  collaboration  with  the  Government  of  Canada  and 
Manitoba  Public  Insurance,  conducted  a  pilot  test  of  software  designed  to  track 
inspection  results  and  deliver  them  to  the  roadside  in  real  time.  We  were  told 
that  the  pilot  was  successful  from  the  Department's  perspective,  but  didn't 
satisfy  the  needs  of  all  of  the  testing  partners.  We  understand  that  the 
Department  is  planning  to  develop  a  system  like  the  one  piloted  and  that  the 
VIS  dashboard  may  have  potential  to  deliver  similar  benefits  to  the  roadside, 
but  needs  to  incorporate  more  detail  for  both  input  and  output. 


12  Data  provided  by  the  information  Management  Branch.  We  limit  our  analysis  to  complete  records  and  exclude  any  records 
missing  plate  or  VIN. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  ongoing  analysis  of  the  entire  population  of  commercial  vehicles  being 
inspected,  the  Department  cannot  identity  carriers  who  they  have  not  inspected. 
By  incorporating  analysis  of  currently  held  data  into  a  risk-based  selection 
process  for  carrier  inspection,  the  Department  could  provide  better  assurance 
that  carriers  are  comply  ing  with  the  regulations.  Without  complete  and  current 
information,  roadside  inspectors,  whether  at  weigh  scales  or  mobile,  will  not 
have  the  information  they  need  to  properly  perform  their  duties. 

4.2  Progressive  sanctions 
Recommendation  No.  14 

\\  e  recommend  that  the  Department  of  Transportation  strengthen 
enforcement  processes  relating  to,  or  arising  from,  roadside  inspections. 


Sanctions  under 
review 


Background 

Procedures  for  progressive  sanctions  are  being  rex  iewed  by  Department  stal  l, 
who  informed  us  that  they  would  like  to  increase  the  efficiency  and  timeliness 
of  sanctions  and  enforcement  processes. 


No  verification 
needed  for  less 
serious  repairs 
ordered  by 
inspection 


Issues  identified  by  inspectors  that  "require  attention"  (but  are  not  so  serious  as 
to  stop  the  vehicle  from  proceeding)  require  the  carrier  to  return  the  inspection 
form  to  the  inspector  with  a  signature  on  the  back  stating  the  issue  w  as 
corrected.  If  applicable,  the  carrier  should  also  submit  receipts  and  way  bills 
showing  the  work  was  completed.  The  signature  can  be  that  of  a  qualified 
mechanic  or  carrier  representative.  In  small  operations,  the  owner  can  sign  as 
having  completed  the  work.  There  is  no  requirement  for  third  party  verification 
that  the  issue  is  resolved  or  for  submission  of  work  orders  or  receipts. 


A  vehicle  cannot  be  placed  OOS  for  multiple  "requires  attention"  v  iolations. 
However,  an  operator  can  be  fined  for  these  violations  if  the  inspector  deems 
necessary.  "On  monitoring"  status  can  lead  to  progressive  discipline  if  the 
carrier  doesn't  respond  appropriately  to  the  issues  brought  forward  by  the 
monitoring.  This  may  include  an  audit  of  a  carrier's  facility. 

Criteria:  the  standards  we  used  for  our  audit 

Enforcement  standards  should  be  clearly  defined  and  consistently  applied 
across  the  province. 


Letters  don't 
specify 
timelines  or 
consequences  for 
non-compliance 


Our  audit  findings 

We  examined  31  "on-monitoring"  files — nine  that  resulted  from  CVSA 
inspections  and  22  that  we  selected  randomly.  We  found  letters  sent  to  carriers 
informing  them  of  their  status  and  requiring  them  to  correct  the  noted  issues  in 
a  "reasonable"  time.  The  wording  on  many  advises  that  failure  to  comply 
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No  evidence  that  a 
driver  complaint 
was  effectively 
followed-up 


Manitoba 
publishes  carrier 
information  on  the 
internet 


"may"  lead  to  some  sort  of  corrective  action.  The  letters  don't  provide 
deadlines  for  compliance  or  a  clear  explanation  of  what  consequences  may 
follow  their  action  or  inaction. 

We  found  only  one  use  of  an  administrative  penalty  to  a  carrier  who  had  failed 
six  of  seven  criteria  during  a  facility  audit.  This  earner  was  fined  the  minimum 
amount  for  the  combined  defects  of  $3,000  after  being  on  monitoring  for  over 
two  years  and  failing  the  audit.  We  understand  this  82-vehicle  carrier  to  be  still 
operating. 

We  found  68  letters  relating  to  1 3  facility  audits.  Four  of  the  audits  were 
followed  up  appropriately,  and  the  balance  stated  that  the  Department 
"anticipated"  the  implementation  of  the  action  plan,  but  didn't  indicate  a 
timeline  or  follow-up  procedure.  Some  of  the  carriers  had  been  "on  monitoring" 
status  for  the  same  issues  for  over  two  years  with  no  observable  enforcement 
action  being  taken  other  then  more  letters  being  sent  to  them. 

We  reviewed  a  complaint  from  a  driver  about  being  told  by  the  carrier  to  work 
extra  hours  and  maintain  two  log  books.13  The  Department's  response  letter  to 
the  carrier  doesn't  directly  address  the  complaint,  restates  the  contents  of  the 
carrier  profile  and  warns  that  failure  to  improve  on  road  performance  may  result 
in  disciplinary  action.  There  is  no  date  for  expected  compliance  or  indication  of 
how  the  letter  would  be  followed  up.  Further,  there  is  no  documentation 
evidencing  that  the  Department  took  steps  to  assess  the  merit  of  the  allegation. 

The  OOS  Project  makes  a  recommendation  that  the  Department  create  a  link  on 
its  website  to  offer  public  access  to  carrier  information.  This  type  of  site  is 
being  used  in  Manitoba,  who  publishes  carrier  demographics,  CVSA  inspection 
results  and  safety  rating  on  their  site.14 

The  Department  is  working  towards  increasing  its  enforcement  efforts.  While 
formal  policy  changes  are  awaiting  ministerial  approval,  the  Department  has 
provided  examples  of  increased  enforcement  activities  during  the  summer  of 
2009.  The  effectiveness  and  scope  of  these  changes  will  be  observable  in  the 
future. 

Implications  and  risks  if  recommendation  not  implemented 

Without  meaningful  consequence  for  operating  in  non-compliance,  carriers  will 
not  change  their  behaviour. 


13  Log  books  detail  the  number  of  hours  a  driver  operates  his  or  her  vehicle. 

14  http://www.gov.mb.ca/mit/mcd/mcs 
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4.3  Analysis  and  measurement 
Recommendation  No.  15 

We  recommend  that  the  Department  of  Transportation  further  develop 
and  improve  its  data  analysis  practices  for  use  in  program  deliver)  and 
performance  measure  reporting. 


Most  collisions 
caused  by  driver 
behavior — not 
mechanical  failure 


Background 

Over  85%  of  commercial  vehicle  collisions  arc  caused  by  driver  attitude  and 
performance.    Compared  to  drivers  of  other  vehicles,  commercial  vehicle 
drivers  were  statistically  more  likely  to  run  off  the  road,  make  an  improper  turn, 
or  make  an  improper  lane  change.  However,  these  drivers  were  statistically  less 
likely  than  other  vehicle  operators  to  follow  too  closely,  make  an  unsafe  left 
turn,  or  disobey  a  traffic  signal.'6 


Roger  Clarke,  an  Executive  Director  with  the  Department,  has  been  published 
observing  that: 

"...Far  too  little  attention  is  paid  to  giving  them  (truck  drivers)  the  vocational 
education  we  give  to  plumbers,  electricians,  pipefitters,  hairdressers  and  most 
other  trades....  There  is  a  dearth  of  professional  training  opportunities  for  new 
drivers...  it  is  one  thing  to  get  a  licence  to  maneuver  a  truck,  another  thing  to  be 
a  professional  operator."  17 


Safety  programs 
not  mandatory 


A  Professional  Driver  Certificate  and  safety  programs  are  available  to  drivers, 
but  not  mandatory  in  obtaining  a  licence. 


Nearly  half  of 
_  non-compliant 
yj  carriers  are  single 

E)  vehicle  operators 


Alberta  participates  in  the  Partners  in  Compliance  Program  (PIC),  recognizing 
carriers  that  have  demonstrated  that  they  are  operating  under  strict  and  effective 
safety  programs.  Member  vehicles  are  equipped  with  transmitters  that  signal 
inspection  stations  that  the  vehicle  can  pass  by  without  stopping.  Currently 
there  are  21  PIC  carriers  in  Alberta. 

Large  carriers  generally  have  resources  available  to  develop  comprehensive 
safety  plans  and  monitor  driver  performance  through  in-house  safet}  officers 
and  carrier  profiles.  However,  47%  of  "on-monitoring"  carriers  are  one-truck 


Several  documents  and  statistical  reports  provided  by  the  Department  and  Todd.  Valerie.  Ian  Tomlinson.  and 
Sylvian  Tremblay.  CCMTA  news,  Newsletter  of Canadian  Council  of  Motor  Transport  Administrators.  Volume  16.  No.  1 
Winter  2008.  1CBC,  Traffic  Collision  Statistics.  Police-attended  Injury  and  Fatal  Collisions,  British  Columbia  2007. 
Thiffault,  Pierre  Ph.D.  Targeting  human  factors  in  the  motor  carrier  industry  in  Canada.  International  Conference  of  Traffic 
and  Transport  Psychology,  Washington  DC,  2008.  Lepofsky.  Mark  Ph.D..  PMP.  "Fmerging  Technologies  in  Hazmat 
Tracking  and  Identification  Workshop."  CO H MED  Conference;  2009. 
1  Department  report:  Alberta  Traffic  Collision  Statistics  2007 

17  Safety  for  the  Long  Haul.  Large  Truck  Crash  Risk,  Causation  &  Prevention.  Ronald  R.  Knipling.  Ph.D.  American  Trucking 
Association 
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Current 
performance 
measure  under 
review  for 
relevancy 


Inspection  process 
concentrates  on 
equipment — not 
driver 


operations.  These  operators  work  in  more  isolated  environments  and  may  not 
have  comparable  resources  to  dedicate  to  safety  programs  and  awareness. 

Goal  3  of  the  Ministry  of  Transportation's  2007-2010  business  plan  is  to 
"Deliver  safety  focused  transportation  education  and  enforcement  programs." 
Currently,  the  Department  reports  its  activities  towards  this  goal  as  "Percentage 
of  inspected  vehicles  requiring  on-site  adjustments.,, 

The  data  for  this  measure  is  obtained  through  an  annual  survey  at  64  inspection 
sites  across  Alberta.  Department  staff  conduct  inspections  of  the  first  seven 
commercial  vehicles  arriving  at  the  station  on  the  survey  day  and  report  the 
number  of  vehicles  taken  out-of-service  for  mechanical  violations.  The  OOS 
Project  recommends  that  the  current  performance  measure  be  removed,  as  it 
doesn't  address  all  industry  sectors,  include  many  driver-related  issues  or 
provide  sufficient  information  for  planning. 

Criteria:  the  standards  we  used  for  our  audit 

Legislative  requirements  should  be  communicated  to  industry  and  training 
should  be  provided.  The  Ministry  of  Transportation  should  be  able  to 
demonstrate  accountability  for  commercial  vehicle  safety  in  Alberta  and  should 
have  the  systems  in  place  to  report  on  its  operations  (e.g.,  cost  and  outputs)  and 
effectiveness  (meeting  objectives).  Reporting  should  include  quantifiable 
performance  measurement  where  possible.  The  Department  should  use  the 
accountability  process  to  enhance  program  design  and  delivery. 

Our  audit  findings 

The  existing  inspection  process  does  not  incorporate  driver  knowledge,  attitude 
or  behaviour.  Our  testing  of  CVS  A  inspections  showed  that  less  than  half  of  the 
issues  found  were  for  mechanical  defects:  the  balance  was  split  between  driver 
hours  of  service,  credential  violations  and  load  deficiencies.  Our  review  of 
36  carrier  profiles  shows  47%  of  the  convictions,  CVSA  deficiencies  and 
violations  were  driver  related  and  less  than  25%  were  mechanical  defects. 

The  OOS  Project  included  an  operator  survey.  34%  of  respondents  replied  that 
a  reason  for  being  placed  OOS  was  an  hours  of  service  violation,  and  81% 
agreed  that  the  violation  was  justified.  When  asked  why  a  driver  would  risk  an 
OOS  violation,  typical  responses  included: 
"wanted  to  get  home  for  off  duty  time" 
"go  or  get  fired" 

"because  I  would  have  lost  my  job" 
"need  to  make  money" 

"didn't  think  the  violation  was  serious  enough" 
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•  "had  to  get  out  of  the  bush" 

•  "I  just  monitor  it  and  take  it  easy" 

Our  review  of  the  Department's  records  and  public  documents  found: 

•  mechanical  condition  of  the  vehicle  is  not  the  major  cause  of  collisions,  as 
driver  error  is  to  blame  for  over  85%  of  collisions  for  commercial 
vehicles. 

•  The  top  four  factors  in  commercial  vehicle  collisions  relate  to  the  dri\  ers: 

•  inattentiveness  28.2% 

•  error/confusion  15.6% 

•  speed  14% 

•  failure  to  yield  right  of  way  1 1 .8%14 

Also,  a  driver  with  any  single  road  conviction  has  a  56%  increased  likelihood 
of  having  a  collision.  This  makes  convictions  a  strong  indicator  of  future 
behaviour."11 


Opportunities 
exist  to  learn  more 
about  causes  of 
driver  behaviour 


All  roadside  and  annual  commercial  vehicle  inspections  involve  an  exchange 
with  the  driver.  The  inspector  conveys  information  and  controls  the 
conversation;  this  event  provides  an  opportunity  to  gather  information  from 
drivers  that  may  not  be  specifically  requested  by  the  inspection  form.  The 
Department  should  take  advantage  while  developing  and  assessing  its  programs 
to  reduce  collisions. 


Data  can  be  used 
to  look  for  trends 
and  develop 
strategies 


The  inspection  event  provides  a  unique  opportunity  to  communicate  with, 
survey  and  educate  drivers  while  they  are  actively  working.  By  taking  full 
advantage  of  this  time,  the  Department  can  reinforce  and  deliver  messages 
beyond  those  related  specifically  to  violations  or  problems.  Better  focused 
information,  including  performance  measures  relating  to  potential  causes  of 
non-mechanical  induced  collisions  will  assist  in  the  development  of  specific 
initiatives  to  reduce  these  types  of  collisions. 

Education  and  communication  are  elements  of  the  Department's  Traffic  Safety 
Plan  and  the  OOS  Project  recommendations.  The  Department  is  demonstrating 
recognition  of  these  tools  as  proactive  ways  to  affect  driver  performance. 


18  Thiffault,  Pierre  Ph.D.  Targeting  human  factors  in  the  motor  carrier  industry  in  Canada,  International  Conference  of 
Traffic  and  Transport  Psychology,  Washington  DC,  2008. 

19  1CBC,  Traffic  Collision  Statistics.  Police-attended  Injury  and  Fatal  Collisions,  British  Columbia  2007. 

20  Todd.  Valerie.  Ian  Tomlinson,  and  Sylvian  Trembla\ .  ( '<  'MTA  news.  (Newsletter  of  Canadian  Council  of  Motor  Transport 
Administrators).  Volume  16.  No.  1  Winter  2008 
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22 


The  CCAF21  report  Public  Performance  Reporting-Reporting  Principles' 
recommends  that  measures  be  centered  on  core  objectives,  should  be  forward 
looking  as  well  as  retrospective,  and  inform  the  public  about  the  goals  they  are 
pursuing  and  how  their  activities  contribute  to  these  goals.  In  Alberta 
Treasury's  paper,  Measuring  Performance,23  the  first  guiding  principles  are: 

•  focus  on  results — determine  the  effects  programs  are  having  rather  than 
measuring  what  has  been  produced 

•  a  few  key  measures  per  ministry — provide  a  snapshot  of  the  ministry's 
performance  for  its  core  businesses 


The  current  performance  measurement  is  narrowly  focused  on  mechanical 
defects  for  a  limited  population  and  is  not  reflective  of  activity  throughout  the 
year.  It  does  not  reflect  the  effects  that  programs  are  having  on  commercial 
vehicle  safety  and  does  not  provide  information  about  the  safety  of  Alberta's 
roads. 

Implications  and  risks  if  recommendation  not  implemented 

Without  clearly  defined  performance  measures  and  analysis  of  its  own  data,  the 
Department  cannot  effectively  plan  for  and  use  their  financial  and  human 
resources. 


:i  Canadian  Comprehensive  Auditing  Foundation,  see  http://www.ccaf-fcvi.com/english/index.html 
22  Public  Performance  Reporting — Reporting  Principles-  CCAF  2002 


Measuring  Performance-  Alberta  Treasury  1996 
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Government  of  Alberta  and  Ministry  Annual  Reports 


Government  of  Alberta  and  Ministry 
Annual  Reports 

Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  Government  of  Alberta's  consolidated  financial 

auditor's  opinions     sUUemcnts  for  the  ycar  endcd  March  3  j  2009  is  unqualified. 

We  are  satisfied  that  the  transactions  and  activities  we  examined  in  financial 
statement  audits  complied  with  relevant  legislative  requirements.  As  auditors,  we 
test  only  some  transactions  and  activities,  so  we  caution  readers  that  it  would  be 
inappropriate  to  conclude  that  our  testing  would  identify  all  transactions  and 
activities  that  do  not  comply  with  the  law. 

We  issued  unqualified  auditor's  opinions  on  ministry  financial  statements  for  the 
year  ended  March  3 1 ,  2009. 

At  page  69  of  our  April  2009  Report,  we  discussed  several  topics  that  are  important 
in  understanding  Alberta's  consolidated  financial  statements. 


Unqualified 
auditor's  opinion 
on  Measuring  Up 


Unqualified 
review 
engagement 
reports 


Ministry  of 
Treasury  Board 
should  work  with 
ministries 


Performance  measures 

Measuring  Up 

We  audited  24  of  the  61  performance  measure  in  Measuring  Up  and  w  ere  able  to 
issue  an  unqualified  auditor's  opinion. 

Ministry  annual  reports 

We  reviewed  141  performance  measures  included  in  24  ministry  annual  reports  and 
were  able  to  to  issue  24  unqualified  review  engagement  reports. 

Findings  and  recommendations 

Analysis  and  review  of  performance  measures — recommendation 

The  following  recommendation  was  made  as  part  of  our  audit  of  performance 
measures  in  Measuring  Up.  It  is  supported  by  our  observations  from  our  reviews  of 
perfonnance  measures  in  ministry  annual  reports. 
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Recommendation  No.  16 

We  recommend  the  Ministry  of  Treasury  Board  work  with  Ministries  to 
improve  processes  at  the  ministry  level  relating  to  analysis  and  review  of 
performance  measures.  We  also  recommend  the  Ministry  of  Treasury  Board 
establish  a  protocol  with  ministries  whereby  it  is  informed  of  proposed  changes 
by  ministries  to  performance  measures  methodology  in  a  timely  manner. 

Background 

Ministries  prepare  and  report  performance  measures  based  on  data  collected 
internally  or  data  provided  by  third  parties.  A  total  of  24  performance  measures  are 
presented  in  Measuring  Up  as  audited.  Of  these  24,  data  for  five  measures  are 
generated  and  collected  internally  by  individual  Ministries  and  data  for  the 
remaining  measures  are  compiled  from  survey  firms,  Statistics  Canada  and  other 
external  sources. 

Ministries  are  responsible  for  reviewing  performance  measure  results  in  order  to 
provide  assurance  on  the  reliability,  comparability  and  understandability  of  the 
information  presented.  The  Ministry  of  Treasury  Board  relies  on  these  processes  at 
the  ministry  level. 

Criteria:  the  standards  we  used  for  our  audit 

There  should  be  consistent  practices  relating  to  the  review  and  approval  of 
performance  measure  data,  calculations  and  disclosures. 

The  Ministry  of  Treasury  Board  should  be  aware  of  all  revisions  proposed  to 
performance  measures  included  in  Measuring  Up. 

Our  audit  findings 

Inconsistencies  were  noted  in  the  level  of  analysis  and  review  of  performance 
information  by  management  at  Ministries  as  well  as  documentation  supporting  the 
analysis  and  review  performed.  Given  the  reliance  that  the  Ministry  of  Treasury 
Board  places  on  the  work  at  the  ministry  level,  we  expected  to  see  more  consistency 
in  the  level  of  work  performed  at  the  ministry  level  to  support  management's 
assertions  regarding  the  performance  information.  Inconsistencies  were  also  noted  in 
the  level  and  quality  of  support  provided  to  explain  factors  influencing  actual 
performance  results  at  ministries. 

This  general  observation,  although  limited  to  processes  examined  relating  to  the 
24  audited  performance  measures,  may  also  apply  to  processes  used  to  report  the 
other  37  performance  measures  included  in  Measuring  Up.  As  the  Ministry  of 
Treasury  Board  places  significant  reliance  on  the  work  of  the  Ministries,  to  reduce 
the  risk  of  error  and  misstatement,  the  Ministry  of  Treasury  Board  should  work  with 


Inconsistencies 
noted  in  the  level 
review  and 
analysis 


Ministries  and  the 
Ministry  of 
Treasury  Board 
should  work 
together 
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Ministries  to  improve  the  processes  used  to  provide  assurance  over  the  reliability  of 
performance  i n format i on . 

We  also  noted  that  a  protocol  with  ministries  is  not  in  place  to  ensure  the  Ministry  of 
Treasury  Board  is  made  aware  of  proposed  changes  by  ministries  to  performance 
measures  methodology.  Communication  to  the  Ministry  of  Treasury  Board  of 
proposed  changes  should  be  completed  prior  to  ministries  implementing  changes  to 
performance  measures  included  in  Measuring  I  p. 

Implications  and  risks  if  recommendation  not  implemented 

Reported  performance  measures  may  contain  errors. 


Protocol  is  needed 
for  proposed 
changes 
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Aboriginal  Relations 

Our  audit  findings  and  recommendations 

Grant  monitoring — implemented 

Recommendation     jn  our  2006-2007  Annual  Report  (vol.  2,  page  1 24),  we  recommended  that  the 
implemente  Ministry  of  Aboriginal  Relations  implement  an  effective  risk-based  system  to  ensure 

grant  recipients  comply  with  the  terms  and  conditions  of  grants.  The  Ministry  has 
implemented  processes  to  monitor  timelines  for  submission  of  required  reports  from 
grant  recipients. 


Unqualified 
auditor's  opinion 


Unqualified 
review 

engagement  report 


Financial  statements 

Our  auditor's  opinion  on  the  Ministry  of  Aboriginal  Relations  financial  statements 
for  the  year  ended  March  31,  2009  is  unqualified. 

Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministr)  's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Advanced  Education  and 
Technology 

Summary 

The  Department 

The  Department  of  Advanced  Education  and  Technology  should: 

•  improve  its  processes  for  managing  conditional  grants  to  post-secondarj 
institutions — see  page  142 

•  improve  its  requirements  for  annual  reports  from  post-secondary  institutions 
see  page  1 44 


Entities  that  report  to  the  Minister 

University  of         \ye  have  made  several  recommendations  to  the  University  of  Calgary  over  the  last 
few  years.  Currently,  the  University  is  devoting  substantial  resources  to  review  and 
re-engineer  its  business  processes.  Although  the  University  is  making  progress  in 
improving  the  effectiveness  of  its  decentralized  control  environment,  significant 
control  issues  remain.  The  University  still  has  not  finalized  a  plan,  including 
timelines,  for  resolving  all  key  control  issues.  We  repeated  recommendations  that 
the  University  improve  controls  over  payroll  functions,  approval  and  documentation 
of  journal  entries  and  PeopleSoft  security.  We  stress  that  the  University  needs  to 
finalize  its  plan  to  address  the  outstanding  recommendations  and  follow  it — see 
pages  151  to  157. 


We  also  made  a  new  recommendation  that  the  University  of  Calgary  Board  of 
Governors  should  establish  systems  and  processes  to  guide  all  aspects  of 
compensation,  including  timely  negotiation  and  completion  of  pension  and 
employment  contract  arrangements  for  senior  executive  positions — see  page  146. 

In  our  April  2()()<S  Report  (page  191 ),  we  summarized  the  information  technology 
(IT)  at  colleges  and  technical  institutes,  and  recommended  that  the  Department  of 
Advanced  Education  and  Technology  give  guidance  to  public  post-secondary 
institutions  on  using  an  IT  control  framework  to  develop  control  processes  that  are 
well  designed,  efficient  and  effective.  The  University  of  Calgary  and  University  of 
Lethbridge  are  making  satisfactory  progress  on  issues  we  previously  raised.  We 
made  new  recommendations  to  the  University  of  Alberta  and  Athabasca  University 
related  to  their  IT  control  environment.  We  encourage  the  Universities  to  continue 
working  with  the  Department,  colleges  and  technical  institutes  to  develop  a 
provincial  IT  control  framework — see  page  161. 
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Past 

recommendations 


For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Department  issues 
grants  for  various 
programs 


Our  audit  findings  and  recommendations 

1 .    Department  of  Advanced  Education  and  Technology 
1.1  Grant  accountability 
Recommendation  No.  17 

We  recommend  that  the  Department  of  Advanced  Education  and 
Technology  improve  its  processes  for  managing  conditional  grants. 

Background 

We  reviewed  the  Department's  processes  for  managing  two  conditional  grant 
programs: 

•  Access  to  the  Future  Fund,  which  matches  donations  to  post-secondary 
institutions.  The  Fund  has  paid  $128  million  since  its  inception  in 
2006-2007. 

•  Enrolment  Planning  Envelope,  which  funds  one-time  costs  for  expanding 
the  number  of  students  able  to  attend  post-secondary  institutions.  The 
Department  paid  $275.7  million  in  2008-2009  to  institutions. 

Conditional  grants  require  recipients  to  use  funds  for  specified  purposes.  The 
Department  may  also  require  grant  recipients  to  return  unspent  funds. 

Criteria:  the  standards  we  used  for  our  audit 

In  managing  conditional  grants,  the  Department  should: 

•  have  processes  to  ensure  that  grant  recipients  meet  eligibility  requirements 

•  establish  clear  criteria  for  making  grant  recipients  accountable  for  how  they 
use  the  funds 

•  establish  realistic  timelines  by  which  recipients  must  have  used  the  funds 
and  achieved  the  outcomes 

•  clearly  communicate  the  criteria  and  targets  to  grant  recipients 

•  follow  up  on  grant  accountability  reports  and  evaluate  whether  conditions 
have  been  met  and  program  outcomes  achieved 

•  take  corrective  action  where  grant  conditions  have  not  been  met 
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Monitoring  and 
accountability 
processes  not 
implemented  since 
2007 


Our  audit  findings 
Access  to  the  Future  Fund 

The  Department  has  not  yet  fully  implemented  its  monitoring  and 
accountability  processes  even  though  the  Fund  started  in  2006  2007.  For 
example,  the  Fund  continues  to  match  donations  based  on  an  institution's 
self-evaluation  of  eligibility,  instead  of  the  Department  verifying  eligibility. 
Although  the  Fund's  managers  have  developed  a  post-grant  review  process, 
they  plan  to  implement  it  only  in  2009-2010.  This  review  would  compare  grant 
applications  with  information  in  an  institution's  audited  financial  statements, 
evaluate  the  risk  of  institutions  not  meeting  grant  conditions  and  obtain  further 
information  from  institutions  where  that  risk  is  high. 


Reporting 
requirements  not 
clear 


The  Fund's  guidelines  ask  institutions  to  report  on  their  use  of  grant  funds 
within  four  months  of  the  fiscal  year-end.  But  neither  the  guidelines  nor 
individual  grant  agreements  state  what  specific  information  the  grant  recipients 
must  provide  to  verify  that  they  have  used  the  funds  appropriately.  While  a 
grant  agreement  may  require  institutions  to  return  unspent  grants  to  the  Fund, 
there  is  no  required  timeline  by  which  the  recipient  must  spend  the  funds  and 
achieve  program  outcomes. 


Inconsistencies  in 
managing  grants 


Reports  long 
overdue,  not 
followed  up 
promptly 


Department 
unaware  of 
S658.000 
overpayment  for 
apprenticeship 


Enrolment  Planning  Envelope 

We  found  inconsistent  processes  for  managing  one-time  funding  for  expanding 
the  number  of  students  able  to  attend  post-secondary  institutions.  The 
Department: 

•  does  not  require  institutions  to  report  on  their  use  of  funds  for 
apprenticeship  training  space  expansions 

•  requires  institutions  to  report  on  funds  spent  on  one-time  costs  for  credit 
program  expansions,  within  six  months  of  their  fiscal  year-end.  But  the 
Department  had  not  received  or  requested  accountability  reports  for 
2006-2007  from  two  of  the  three  institutions  w  e  reviewed  by 

March  24,  2009.  Department  staff  acknow  ledged  that  approximately  20  of 
2 1  institutions  were  late  in  some  of  their  reporting  and  that  the  Department 
was  behind  in  sending  out  follow-up  requests  to  the  institutions. 

•  has  no  process  to  follow  up  with  institutions  to  review  how  they  use  funds 
or  to  identify  if  any  funds  remain  unspent  at  the  completion  of  the  project. 
For  example,  during  our  audit  of  the  one  post-secondary  institution  for 
2007  2008,  we  found  $658,000  of  unspent  apprenticeship  expansion 
funding  from  March  2005.  This  institution's  staff  acknow  ledged  that  this 
was  a  grant  overpayment,  but  that  institution  was  waiting  for  instruction 
from  the  Department  on  what  to  do  with  unspent  funds.  The  Department 
was  unaw  are  of  this  until  we  asked  them  about  it. 
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Department  relies 
on  institutions  to 
spend  funds 
appropriately 


Annual  report 
provides  financial 
and  other 
performance 
information 


Department 
provides  standards 
for  annual  reports 


The  Department  requires  institutions'  senior  financial  officers  to  sign 
accountability  reports  for  one-time  credit  program  expansion  funding.  In  order 
to  rely  on  this  assurance  that  funds  were  spent  correctly,  the  Department  should 
ensure  that  institutions  have  appropriate  internal  control  systems  for  generating 
accountability  reports. 

Implications  and  risks  if  recommendation  not  implemented 

Without  clear  processes  for  managing  conditional  grants,  the  Department 
cannot  be  sure  that  institutions  have  met  the  conditions  and  accomplished  the 
results  for  which  they  receive  funding. 

1.2  Annual  report  standards  for  post-secondary  institutions 
Recommendation 

We  recommend  that  the  Department  of  Advanced  Education  and 
Technology  improve  its  requirements  for  annual  reports  from 
post-secondary  institutions. 

Background 

An  annual  report  is  a  comprehensive  report  on  an  organization's  activities  and 
financial  performance  throughout  the  preceding  year.  It  is  intended  to  keep 
stakeholders  informed.  For  public  institutions,  annual  reports  are  also  an 
important  way  to  hold  senior  management  accountable  for  their  control  and  use 
of  public  resources. 

The  Department  has  a  role  in  communicating  standards  or  expectations  to 
public  post-secondary  institutions.  The  Department  also  monitors  the  sector  and 
evaluates  whether  institutions  are  effectively  managing  their  operations  and 
delivering  programs  in  a  manner  consistent  with  their  approved  mandate  and 
other  Ministry  standards  or  expectations.  The  institutions  are  accountable  to  the 
Minister  and  the  public  for  their  use  of  public  resources. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  annual  report  standards  that  hold  post-secondary 
institutions  and  their  management  accountable  for  their  control  and  use  of 
public  resources. 


Institutions  must 
send  annual  report 
to  Minister 


Our  audit  findings 

The  Post-Secondary  Learning  Act]  requires  institutions  to  submit  annual  reports 
to  the  Minister  of  Advanced  Education  and  Technology,  including  audited 
financial  statements  and  any  other  information  the  Minister  requires. 


S.A.  2003,  c.P-19.5 
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Weaker  annual 
report  standards 
exists  for 
institutions,  than 
for  ministries 


The  Department  requires  institutions  to  make  their  annual  reports  available  to 
the  public,  including  posting  the  annual  reports  on  their  websites.  However, 
while  the  Department  encourages  certain  content,  it  does  not  require  the 
institutions  to  provide  specific  information  or  declarations  in  their  annual 
reports.  The  Department's  current  requirements  for  institutions  set  a  low 
standard  for  accountability  when  compared  to  the  annual  report  standards  for 
government  ministries,  for  example.  The  government  requires  ministries  to 
provide  substantial  additional  content  and  sets  high  standards  for 
accountability.  Among  the  requirements  for  a  ministry's  annual  report  are: 

•  management  responsibility  for  reporting — A  statement  from  the  Deputy 
Minister  acknowledging  his  or  her  responsibility  to  ensure  that  effective 
systems  of  financial  management  and  internal  control  are  operating  within 
the  Ministry  and  accepts  responsibility  for  the  accuracy  of  information  the 
Ministry  reports. 

•  results  analysis  (also  known  as  management's  discussion  and  analysis) — A 
balanced  discussion  of  the  Ministry's  overall  results  and  performance, 
including  reporting  on  performance  measures  included  in  the  Ministry's 
business  plan.  Ministries  must  also  link  financial  results  to  the  progress  in 
achieving  goals  and  targets  for  each  core  business. 


Provides  better 
accountability  of 
resources  and 
maintaining 
effective  control 
systems 


Only  three  of  16 

annual  reports 

include 

management 

responsibility 

statement 


Annual  reports  from  institutions  should  include  similar  accountability  and 
responsibility  declarations  by  presidents  and  senior  financial  officers.  These 
declarations  clearly  establish  individual  responsibility  for  maintaining  effective 
internal  control  systems,  safeguarding  assets,  ensuring  transactions  were 
properly  approved  and  complied  with  legislation,  and  correcting  identified 
deficiencies  in  internal  control  systems.  Requiring  results  analysis  and 
discussion  also  establishes  management's  responsibility  to  account  to 
stakeholders  for  their  use  of  the  public's  resources. 

Of  Alberta's  16  public  colleges  and  technical  institutes,  only  three  included  a 
management's  responsibility  statement  in  their  2008  annual  reports.  Eight 
colleges  included  a  results  analysis,  but  four  of  those  included  only  a  brief 
discussion.  For  example.  Grant  MacEwan  University2,  w  hich  had  the  most 
significant  control  weaknesses  (reported  in  our  April  2009  Report  see 
page  81 ),  did  not  include  a  management  responsibility  statement  for 
maintaining  an  effective  internal  control  system. 


"  By  Order  in  Council  (O.C.  481/2009  dated  September  24,  2009)  Grant  MacEwan  College's  name  was  changed  to  Grant 
MacEwan  University. 
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Implications  and  risks  if  recommendation  not  implemented 

In  the  absence  of  management  responsibility  statements  and  disclosure  of  the 
results  of  operations,  the  Department  has  one  less  opportunity  to  hold  an 
institution's  senior  officers  accountable  for  their  control  and  use  of  public 
resources. 


2.    Entities  that  report  to  the  Minister 
2.1  University  of  Calgary 

The  University  has  over  $2  billion  in  assets  and  spends  approximately 
$1  billion  to  support  the  delivery  of  educational  and  research  programs.  In  prior 
years,  we  reported  on  a  number  of  internal  control  deficiencies.  Given  its  size, 
we  concluded  that  significant  improvements  were  needed  to  make  the  control 
environment  effective.  Last  year,  on  pages  213  to  215  of  our  October  2008 
Report,  we  highlighted  several  issues  stemming  from  controls  operating  in  a 
decentralized  environment  that  were  insufficient  to  sustain  efficient  business 
processes.  The  University  continued  to  improve  internal  controls  in  specific 
areas.  For  example,  the  University  made  considerable  improvements  over 
controls  for  sponsored  research  and  trust  accounts. 

Significant  While  overall  progress  was  made  in  addressing  the  recommendation  to  improve 

challenges  remain  thg  effectjveness  0f  me  University's  decentralized  control  environment, 

significant  challenges  remain.  In  dealing  with  this  key  recommendation,  we 
also  stressed  that  the  University  must  promptly  finalize  its  implementation  plan 
and  follow  it.  This  year,  we  repeated  recommendations  for  the  University  to 
improve  controls  in  important  areas  encompassing  payroll,  journal  entries  and 
PeopleSoft  security.  Our  audit  of  payroll  also  resulted  in  a  new 
recommendation  for  the  University  to  improve  its  executive  compensation 
processes. 

The  University  needs  to  solve  its  internal  control  issues.  Until  then,  the 
University  is  exposed  to  increased  risks  of: 

•  inefficient  and  unsustainable  business  processes  resulting  in  improper  use 
of  University  resources  and  increased  costs 

•  fraud  and  errors  going  undetected 

•  inaccurate  financial  information 

2.1.1  Improving  executive  compensation  processes 
Recommendation  No.  18 

We  recommend  that  the  University  of  Calgary  Board  of  Governors 
establish  systems  to  guide  all  aspects  of  compensation,  including  timely 
negotiation  and  completion  of  employment  contracts  for  senior  executive 
positions. 


Control  issues 
identified  by  past 
audits 
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President's  2001 
negotiated  pension 
terms  not  included 
in  employment 
contract  signed 
only  in  2003 


Background 

The  President  and  the  former  Chair  of  the  Board  of  Governors  (the  2001  Chair) 
negotiated  the  President's  employment  contract  in  2001.  During  their 
negotiations,  the  President  and  the  2001  Chair  agreed  that  the  President  would 
be  left  "in  no  worse  a  pension  position  than  if  he  had  stayed  at  McMaster 
University/'  However,  this  term  was  not  included  in  the  written  employment 
contract  that  the  President  eventually  signed  in  2003. 


President  raised 
issue  again  m 
2005  contract 
negotiations 


In  2005,  the  President  informed  the  then-Chair  (the  2005  Chair)  of  an 
unresolved  issue  relating  to  the  recognition  of  past  service  from  McMaster 
University  and  asked  that  the  matter  be  resolved  immediately.  This  issue  arose 
during  discussions  to  extend  the  President's  term  to  January  1 ,  201 1 .  The  2005 
Chair  contacted  his  predecessor,  who  confirmed  the  agreement  to  recognize  the 
McMaster  University  service,  but  could  offer  little  insight  into  why  that  term 
was  not  part  of  the  President's  formal  employment  contract.  The  University 
then  contacted  McMaster  University  for  financial  information  and  retained  a 
pension  specialist  to  advise  the  Board  on  the  financial  implications  of  such 
prior-service  recognition. 


Statement  of 
Principles  signed 
in  late  2006  to 
comply  w  ith  2001 
verbal  aizreement 


To  comply  with  the  original  2001  v  erbal  agreement, "the  President  and  the 
University  signed  a  Statement  of  Principles  in  late  2006.  This  Statement  of 
Principles  recognized  the  President's  22  years  of  serv  ice  with  McMaster 
University  and  included  the  following  clauses: 

•  The  University  hereby  undertakes  to  make  the  President  "whole"  v\  ith 
respect  to  any  pension,  supplemental  pension  or  other  non-pension  benefits 
that  the  President  (or  his  spouse,  dependants  or  beneficiaries)  has  forgone 
as  a  result  of  his  departure  from  McMaster  University  and  accepting  the 
office  of  President  and  Vice  Chancellor  of  the  Univ  ersity. 

•  The  President's  annual  pension  under  the  Supplemental  Pension 
Agreement  will  be  calculated  as  follows:  (2%  x  best  average  salary  x  total 
years  of  pensionable  serv  ice  \\  ith  both  the  Univ  ersity  and  McMaster 
University) — (annual  pension  benefits  under  the  UAPP3  +  annual  estimated 
pension  benefits  in  respect  of  the  McMaster  Pension  Plan). 


The  President  finally  signed  an  amended  employment  contract  on 
February  1 ,  2008. 


Pension  liability 
of  $3.4  million 


On  March  18,  2009.  the  current  Chair  of  the  Board  of  Governors  (the 

2009  Chair)  informed  the  Board's  Audit  Committee  of  the  events  that  had  taken 

place  between  2001  and  2008  relating  to  the  President's  employment  contract. 


''  Universities  Academic  Pension  Plan:  The  Alberta  pension  plan  for  university  professors  and  executives.  Benefits  under  this 
pension  plan  relate  strictly  to  Alberta  service,  which  the  President  would  receive  in  any  event. 
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University  must 
disclose  executive 
salaries  and 
pension 


The  liability  arising  from  such  recognition  had  never  been  recorded  in  the 
University's  financial  statements.  The  Chair  informed  the  Audit  Committee  that 
the  pension  liability  to  the  University  was  approximately  $3.4  million. 

As  a  provincial  corporation  funded  by  the  Government  of  Alberta,  the 
University  must  disclose  executive  salaries  as  well  as  cash  and  non-cash 
benefits  earned  that  year  in  its  annual  financial  statements,  in  accordance  with  a 
Province  of  Alberta  Treasury  Board  Directive4  This  directive  also  requires  the 
University's  financial  statements  to  disclose  its  obligations  to  senior  executives 
enrolled  in  the  University's  supplemental  retirement  plans. 

Criteria:  the  standards  we  used  for  our  audit 

The  Board  should: 

•  have  a  compensation  committee  guided  by  a  formal  compensation  policy  to 
effectively  deal  with  senior  executive  employment  negotiations, 
employment  agreements,  pension  plans  and  all  other  aspects  of 
recruitment,  retention  and  compensation  of  senior  executives 

•  receive,  consider  and  confirm  recommendations  from  the  compensation 
committee  relating  to  details  of  senior  executive  compensation  and  related 
matters 

•  have  a  system  to  ensure  that  the  written  contract  reflects  the  terms  and 
conditions  agreed  upon  during  contract  negotiations  and  that  University 
administration  and  other  appropriate  parties  receive  copies  of  the  contract 
for  action 

•  require  that  University  administration  carry  out  Board  decisions  about 
executive  compensation  and  that  the  University's  financial  statements 
accurately  reflect  information  arising  from  those  decisions 


Compensation 
policies  and 
processes  for 
executive 
employees  needs 
improvement 


Our  audit  findings 

The  University's  compensation  committee  has  no  formal  compensation  policy 
to  guide  employment  negotiations  with  executive  employees.  Also,  the 
University  does  not  have  a  well-defined  process  that  includes: 

•  assessing  the  financial  impact  and  related  obligation  to  the  University  when 
executive  employment  contracts  are  being  negotiated 

•  communicating  key  information  to  University  Administration  and  ensuring 
that  contracts  are  completed  within  a  reasonable  time 


4  The  Salary  and  Benefits  Disclosure  Directive  #12/98,  as  amended  by  #03/04  and  #04/07,  was  issued  by  the  Alberta 
Treasury  Board  under  the  authority  of  the  Financial  Administration  Act. 
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Our  October  2008 
Report  provides 
guidance  on 
compensation 
policies 


Our  audit  of  the  Chief  F:\ecuti\e  Officer  selection,  ev  aluation  and 
compensation  systems  of  board-governed  provincial  agencies,  reported  in  our 
October  2008  Report  (page  23),  provides  further  guidance  for  boards  and 
highlights  the  need  for  boards  to  develop  compensation  policies  for  chief 
executive  officers. 


Five  focus  areas 
highlighted 


Our  review  of  the  circumstances  related  to  the  President's  employment  contract 
resulted  in  five  areas  of  focus: 


2003  contract 
signed  knowing  it 
excluded  key 
conditions 


I.    Terms  relating  to  the  IMcMaster  University  service  excluded  from  the 
original  employment  contract 

The  2001  Chair,  who  negotiated  the  original  agreement,  the  2005  Chair  and 
the  President  each  independently  confirmed  to  us  the  circumstances  as 
outlined  in  the  background  section  of  this  report  item.  The  2001  Chair  w  as 
of  the  view  that  University  Administration  should  have  known  about  the 
pension  liability  and  included  it  in  the  employment  contract  that  the 
University  and  the  President  eventually  signed  in  2003.  The  President  told 
us  that  he  signed  the  contract  knowing  it  did  not  include  significant 
benefits  for  him.  on  the  basis  that  he  had  a  "handshake""  deal  with  the 
University  and  that  he  trusted  they  would  do  the  right  thing.  The  President 
went  on  to  state  that  he  tried  on  several  occasions  from  2003  to  2005  to 
have  the  Board  amend  his  employment  contract  to  conform  with  his 
understanding  of  the  agreement;  his  efforts  were  met  each  time  with 
inaction  and  unfulfilled  promises. 


Seven  years  to 
finalize  contract 
highly  unusual 


2.    Time  taken  to  finalize  an  employment  contract  with  the  President 

It  took  two  years  (2001-2003)  for  the  University  and  the  President  to 
finalize  the  original  employment  contract — and  even  then  it  didn't  include 
key  pension  terms  agreed  upon  by  the  parties.  It  then  took  a  further  t\\  o 
years  to  begin  a  process  to  acknowledge  the  original  (yet  undocumented) 
pension  terms,  and  a  further  three  years  after  that  to  finalize  an  agreement. 
Even  under  the  most  trying  of  circumstances,  which  does  not  appear  to 
have  been  the  case  here,  the  length  of  time  taken  to  complete  a  reasonably 
routine  process  is  highly  unusual. 


Insufficient 
information  to 
University 
Administration  to 
record  pension 
liability  in 
financial 
statements 


Lack  of  communication  between  the  Board  and  University 
Administration 

The  2001  Chair  told  us  that  the  usual  course  of  business  w  as  to  have 
University  Administration  implement  the  Board's  administrative  decisions. 
The  2001  Chair  was  of  the  view  that  University  Administration  failed  in 
their  duty  by  not  ensuring  the  increased  pension  liability  was  recorded 
starting  in  2002.  However,  he  could  provide  no  information  as  to  why  the 
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President  will  not 
be  paid  by  both 
universities  for 
same  service 


Pension  obligation 
actuarially 
measured  in  2009 


Previous  financial 
statements  had 
error  of 

$2,853,000— now 
corrected  and 
pension  properly 
disclosed 


2003  employment  contract  prepared  by  the  University  did  not  contain  the 
terms  and  conditions  that  he  negotiated  with  the  President. 

4.  The  University's  obligation  to  pay  the  President  according  to  the  2008 
amended  employment  contract 

The  President  will  not  be  paid  by  both  the  the  University  and  McMaster  for 
the  same  service.  His  final  pension  benefit  at  age  65  will  be  the  same  as  if 
he  had  retired  after  3 1  Vi  years  at  the  University,  no  more  and  no  less.  Part 
of  his  pension  will  come  from  contributions  he  made  for  22  years  of 
service  with  McMaster  University,  part  from  the  UAPP  and  the  remainder 
from  the  University.  There  were  no  substantial  differences  in  the  method  to 
calculate  the  pension  benefits  under  the  McMaster  and  the  University 
pension  plans. 

5.  The  effect  on  the  University's  financial  statements  for  the  past  eight 

years 

In  2009,  after  the  President  announced  his  intention  to  leave  the  University, 
the  University's  Financial  Services  department  reviewed  the  University's 
obligation  to  the  President.  Through  this  review,  Financial  Services  became 
aware  of  the  amended  supplemental  agreement  and  additional  obl  igations 
of  the  University.  Administration  sought  counsel  from  the  2009  Chair  and 
subsequently  engaged  an  actuarial  specialist  to  re-measure  the  obligations, 
including  the  recognition  of  past  service  costs  at  the  President's  former 
employer. 

We  reviewed  management's  assessments,  the  reports  of  the  actuary  and 
other  supporting  documentation,  and  confirmed  that  the  University's  most 
recent  financial  statements  appropriately  reflected  the  arrangements.  Also, 
to  correct  the  omission  in  financial  statements  over  the  previous  seven 
years,  the  University  expanded  its  disclosure  of  the  transaction  in  the 
salaries  and  benefits  note  and  appropriately  reflected  the  correction  of  the 
error  within  the  financial  statements.  The  effect  of  the  correction  on  the 
President's  March  31,  2008  accrued  benefit  obligation  was  an  increase 
from  $522,000  to  $3,375,000.  The  University  complied  with  disclosure 
provisions  noted  in  the  Alberta  Treasury  Board  Directive  for  senior 
executive  compensation. 
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No  inappropriate 
benefit  to 
President — but 
highly  unusual  to 
take  seven  years 
to  finalize  contract 


Last  year's 
recommendation 


It  seems  highly  unusual  that  the  University  and  the  President  would  take  two 
years  to  negotiate  an  employment  contract,  reduce  it  to  writing,  sign  it  know  ing 
it  excluded  significant  benefits,  and  then  take  a  further  five  years  to  come  to  a 
final  agreement  on  the  excluded  terms.  That  said,  there  is  no  evidence  that  the 
President  or  anyone  else  has  received  or  will  receive  an  inappropriate  benefit 
from  the  amendment  to  his  employment  contract.  We  would  not,  however,  have 
expected  it  to  take  seven  years  to  complete,  or  for  Financial  Services  to  know 
nothing  about  the  pension  liability  for  this  same  period  of  time. 

Implications  and  risks  if  recommendation  not  implemented 

Without  effective  systems  and  processes  to  guide  recruitment,  compensation 
and  retention  of  senior  executives,  the  University  risks  over-compensation  of 
senior  executives,  legal  liability  for  disputed  compensation  agreements  and 
damage  to  its  reputation,  which  in  turn  may  dissuade  qualified  executives  from 
considering  the  University  as  a  career  choice. 

2.1.2  Improve  the  University's  decentralized  control  environment — 

satisfactory  progress 
Background 

In  our  October  2008  Report  (No.  21 — page  2 1 3),  we  recommended  that  the 
University  of  Calgary  improve  the  effectiveness  of  its  decentralized  control 
environment  by: 

•  assessing  w  hether  the  current  mix  of  centralized  and  decentralized  controls 
is  appropriate  to  meet  its  business  needs 

•  defining  clear  goals,  responsibilities  and  accountabilities  for  control 
systems'  design,  implementation  and  monitoring 

•  documenting  its  decentralized  control  environment  and  implementing 
training  programs  to  ensure  those  responsible  for  business  processes  have 
adequate  knowledge  to  perform  their  duties 

•  monitoring  decentralized  controls  to  ensure  processes  operate  effectively 

In  designing  a  framework  of  controls,  the  University  must: 

•  ensure  that  controls  are  in  place  and  operate  consistently  throughout  the 
University 

•  consider  the  whole  institution  when  evaluating  business  risks  and  synergies 

Criteria:  the  standards  we  used  for  our  audit 

The  University's  control  environment  should  ensure  that: 

•  business  processes  are  efficient  and  result  in  timely  and  accurate  financial 
and  non-financial  information 

•  employees  have  adequate  know  ledge  and  are  properly  trained  to  perform 
their  duties 
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University-wide 
review  initiated 


Will  document 
critical  business 
processes 


•  controls  are  well  designed,  understood,  documented,  assessed  for  adequacy 
and  centrally  monitored  for  effectiveness 

•  roles  and  responsibilities  are  defined  to  ensure  controls  are  properly 
implemented,  improved,  maintained  and  monitored 

Our  audit  findings 

We  assessed  progress  on  implementing  this  recommendation  as  satisfactory. 
University  Administration  has  assigned  resources  and  taken  steps  to  deal  with 
business  issues  associated  with  this  recommendation. 

Under  the  leadership  of  the  Vice  President  of  Finance  and  Services,  the 
University  initiated  a  university-wide  administrative  review  of  services  it 
provides  centrally,  as  well  as  those  provided  by  faculties  and  departments.  This 
review,  known  as  the  Innovative  Support  Services  Project  (IS2),  is  intended  to 
deliver  outcomes  and  recommend  changes  to  improve  service  of  the 
University's  support  functions,  reduce  costs  of  delivering  these  services  and 
address  aspects  of  this  recommendation.  On  July  1,  2009,  the  President 
assumed  leadership  of  this  project,  as  one  of  the  University's  priorities.  The 
University's  2009-2013  Business  Plan  states  that  the  review  of  administrative 
functions  is  a  strategic  priority  for  2009-2013. 

In  March  2009,  the  University's  Vice  President  of  Finance  and  Services  also 
announced  a  re-engineering  exercise  designed  to  document  all  critical 
University  processes  associated  with  its  PeopleSoft  system,  including  payroll, 
accounts  payable,  personal  expenses  reimbursement,  and  research  and  trust 
accounting. 


Implementation 
plan  needs  prompt 
attention 


Despite  its  initial  timelines  for  some  of  the  initiatives,  the  University  has  not 
finalized  its  plan  to  fully  implement  this  recommendation.  This  implementation 
plan  should  be  promptly  finalized  before  the  next  audit.  The  plan  should  include 
timelines  for  key  activities,  so  that  senior  management  and  the  Audit 
Committee  can  ensure  they  are  making  sufficient  progress. 


What  remains 


To  fully  implement  this  recommendation,  the  University  must: 

•  confirm  and  document  its  implementation  plan  by  setting  out  key 
deliverables  and  dates 

•  complete  its  administrative  reviews  of  business  processes  to  improve 
efficiencies  and  enable  reliable  financial  and  non-financial  reporting 

•  design  and  operate  controls  that  are  understood,  documented,  assessed  for 
adequacy  and  monitored  centrally  for  effectiveness 

•  design  programs  to  ensure  employees  have  adequate  knowledge  and  are 
properly  trained  to  perform  their  duties 
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define  roles  and  responsibilities  to  ensure  controls  are  propeiiv 
implemented,  improved,  maintained  and  monitored 


Second  time  \\  e 
repeat  this 
recommendation 


2.1.3  Improve  payroll  controls — recommendation  repeated 

We  first  made  this  recommendation  in  our  2006  2007  Annual  Report  (vol.  2 
page  12),  and  repeated  it  in  our  October  2008  Report  (vol.  2    page  216).  For 
the  second  time,  we  have  repeated  this  recommendation  because  the  University 
has  still  not  taken  sufficient  steps  to  mitigate  the  risks  of  incorrect  payroll  and 
protecting  payroll  information.  For  the  year  ended  March  3  I,  2()()c).  the 
University  spent  $570  million  on  payroll  and  benefits  costs,  which  accounted 
for  approximately  60%  of  the  University's  total  expenses. 


Recommendation — repeated 

We  again  recommend  that  the  University  of  Calgary  improv  e  controls  over 
payroll  functions. 


Issues  originally 
reported  in  2007 


Background 

In  2007,  the  University  implemented  the  payroll  and  human  resource  module  in 
PeopleSoft/  We  recommended  in  our  2006-2007  Annual  Report  (vol.  2— 
page  12)  that  the  University  improve  controls  over  payroll,  as  terminated 
employees  were  overpaid  and  staff  access  to  the  payroll  module  was  improperly 
segregated.  Management  agreed  with  the  recommendation  and  planned  to 
improve  controls  and  processes  in  the  payroll  area  by  the  end  of  the  2008  fiscal 
year. 


Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  adequate  controls  to  ensure  that  it  approves  and 
properly  monitors  new  employees,  terminations  and  job-change  information.  In 
addition,  salary  and  benefits  paid  to  employees  should  be  supported  by 
appropriate  documentation. 


University  internal 
audit  also  found 
several  control 
w  eaknesses 


Our  audit  findings 

The  University  implemented  controls  to  correct  some  of  the  deficiencies  we 
previously  identified.  However,  we  repeat  this  recommendation  because  the 
University  still  lacks  sufficient  controls  over  the  payroll  functions.  Similar  to 
the  issues  we  previously  raised,  the  Univ  ersity  Audit  Service's  August  2008 
report  on  Central  Human  Resources  and  payroll  functions  also  found  several 
control  weaknesses  that  relate  to  approv  al  and  setup  of  new  hires,  payroll 
changes,  salary  recoveries,  payroll  reconciliations  and  inefficient  business 


PeopleSoft  is  an  enterprise  resource  planning  computer  program  used  by  the  University  to  handle  financial  and  business 
processes. 
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Access  controls  to 
payroll  and 
timesheet  still 
require 

improvements 


Access  to  personal 
information  of 
new  staff  not 
adequately 
restricted 


Managers  don't 
approve  overtime. 
\  acation  and  sick 
leave  for  all 
employees 


processes.  This  year,  we  also  found  an  error  relating  to  the  year-end  process  for 
accruing  payroll  costs. 

2.1 .3.1  Improve  new  employee  controls— unsatisfactory  progress 

Last  year,  we  identified  a  control  weakness  that  allowed  291  people  access  to 
create  hourly  employees  in  the  Payroll  module  and  enter  timesheet  information. 
To  address  this,  management  circulated  a  memo  in  February  2009,  and  again  in 
April  2009,  to  individuals  who  have  access  to  both  the  job  and  timesheet 
reporting  modules  of  PeopleSoft.  These  individuals  were  to  specify  which 
module  they  require  access  to.  Based  on  the  results  of  this  information,  the 
University  will  restrict  each  individual's  access  to  one  of  the  two  modules. 

In  the  current  audit,  we  identified  an  additional  weakness  in  new  employee 
controls.  New  hire  forms  contain  confidential  and  sensitive  information  such  as 
pay  rates  and  bank  account  details.  Once  a  central  Recruitment  Administrator 
has  completed  and  reviewed  the  form,  it  is  saved  on  a  shared  drive.  This  drive 
is  accessible  to  the  entire  Central  Human  Resources  office,  at  which  point 
information  could  be  changed  before  a  Workforce  Administrator  uploads  it  into 
PeopleSoft.  This  poses  a  risk  because  unapproved  changes  to  forms  may  lead  to 
fraudulent  activity.  Additionally,  as  personal  information  about  employees  is 
not  restricted,  it  could  be  misused,  and  making  confidential  information 
available  to  everyone  who  has  access  to  a  shared  drive  is  not  a  good  business 
practice. 

2.1 .3.2  Improve  documentation  controls— unsatisfactory  progress 

Last  year,  we  noted  that  some  payroll  controls  are  decentralized  and  are  not 
adequately  designed  to  ensure  payroll  amounts  are  supported  by  adequate 
documentation.  This  continues  to  be  an  issue.  For  salaried  employees, 
exception  time,  such  as  overtime,  vacation  or  sick  leave,  is  entered  into 
PeopleSoft  at  the  department  level.  Employees'  managers  must  approve  the 
time  in  PeopleSoft.  Central  Human  Resources  automatically  approves,  on  a 
mass  basis,  any  exception  time  not  approved  by  an  employee's  manager.  This 
applies  to  approximately  100  employees  per  pay  cycle.  For  one  pay  period  we 
selected.  Central  Human  Resources  approved  the  exception  time  for  93 
employees.  Controls  over  approval  of  exception  time  are  not  operating 
consistently  and  effectively.  Instead  of  approvals  by  Central  Human  Resources, 
the  more  appropriate  control  is  for  an  immediate  supervisor  to  approve 
exception  time. 

2.1.3.3  Improve  job  change  controls — implemented 

Last  year,  we  identified  a  control  weakness  that  allowed  researcher  salaries  to 
be  incorrectly  recorded  to  the  wrong  project  after  the  researcher  changed 
projects  or  roles.  This  year,  when  an  employee  changes  positions,  the 
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department  completes  a  Job  Change  form  and  Central  Human  Resources  enters 
information  such  as  pay  rates  and  job  coding  information  into  PeopleSoft.  We 
did  not  identify  any  incorrect  coding  of  researcher's  salaries  to  research 
projects. 

2.1 .3.4   Improve  termination  controls — implemented 

The  University  implemented  a  termination  checklist  in  November  2008.  When 
an  employee  is  terminated,  their  final  pay  is  held  up  to  ten  days,  until  the 
employee's  department  has  completed  the  checklist  and  delivered  it  to  Central 
Human  Resources.  We  did  not  identify  any  overpayments. 

Implications  and  risks  if  recommendation  not  implemented 

Without  an  adequate  control  environment  over  payroll  processes,  the  University 
of  Calgary  is  at  increased  risk  for  incorrect  payroll  payments  and  misstatements 
in  financial  statements. 


Repeated 
recommendation 
for  third  time 


2.1.4  Improve  PeopleSoft  security — recommendation  repeated 

We  first  made  this  recommendation  in  our  2005-2006  Annual  Report  (vol.  2— 
page  24),  and  repeated  it  in  our  2006-2007  Annual  Report  (vol.  2 — page  13) 
and  our  October  2008  Report  (No.  22 — page  219).  For  the  third  time,  we  have 
repeated  this  recommendation  because  the  University  still  did  not  take 
sufficient  action  to  implement  the  remaining  parts  of  this  recommendation  to 
mitigate  PeopleSoft  security  risks  this  past  year. 


Recommendation  No.  19 — repeated 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in 
its  PeopleSoft  system  by: 

•  finalizing  and  implementing  the  security  policy  and  security  design 
document 

•  ensuring  that  user  access  privileges  are  consistent  with  the  user's 
business  requirements  and  the  security  policy. 


PeopleSoft 
implemented  in 
phases — 
significant 
security  issues 
remain 


Background 

In  April  2004,  the  University  started  a  three-year  project  to  move  several 
critical  business  and  financial  processes  to  PeopleSoft,  an  ERP  (see  glossary  on 
page  347).  Considerable  time  has  passed  since  our  original  recommendation 
and  the  University  has  implemented  parts  of  our  recommendation.  However,  the 
University  did  not  take  sufficient  action  to  properly  mitigate  PeopleSoft 
security  risks  this  past  year.  Given  the  importance  of  resolving  security 
deficiencies  and  the  University's  lack  of  progress  in  implementing  the 
remaining  parts  of  the  recommendation,  we  arc  making  this  recommendation 
for  a  fourth  time. 
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Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  well-designed  and  effective  procedures  to  reduce 
the  risk  of  unauthorized  or  inappropriate  access  to  PeopleSoft  programs  and 
data  by: 

•  implementing  a  comprehensive  security  policy  and  maintaining  an 
up-to-date  security  design  framework  for  the  PeopleSoft  control 
environment 

•  controlling  access  by  defining  and  enforcing  procedures  to  identify, 
authenticate,  and  authorize  the  use  of  PeopleSoft  and  to  ensure  that  only 
authorized  changes  are  made  to  user  accounts  (additions,  deletions, 
changes)  and  that  they  are  made  promptly 

•  developing  and  implementing  a  security  policy  for  administrative  systems 

•  implementing  an  effective  control  process  to  periodically  review  the 
appropriateness  of  user  access  rights  and  restricting  user  roles  and 
functions  they  can  perform 

Our  audit  findings 

The  University  did  not  make  satisfactory  progress  implementing  a 
comprehensive  security  policy  and  updating  its  PeopleSoft  security  design 
framework.  We  found  the  following  areas  incomplete: 

•  The  security  design  framework  does  not  have  definitions  for  all  user  access 
roles  used  in  PeopleSoft. 

•  User  access  roles  in  two  of  the  PeopleSoft  modules  (Financial  and  Supply 
Chain  Management  and  Human  Capital  Management)  are  different  and 
may  be  incompatible. 

•  The  University  updated  its  security  design  documentation  for  Financial  and 
Supply  Chain  Management  modules.  However,  it  will  not  be  approved  or 
implemented  until  University  management  has  evaluated  and  validated  the 
system's  privileged  access  reports.  The  University  expected  to  complete  its 
evaluation  and  validation  by  the  end  of  September  2009. 

•  PeopleSoft  security  design  documentation  for  the  Human  Capital 
Management  module  is  not  finished.  The  University  expected  a  target 
completion  date  of  June  2009. 

The  University  made  progress  by: 

•  controlling  access  to  PeopleSoft: 

•  The  University  reduced  the  number  of  users  it  authorizes  to  change 
current  or  historical  PeopleSoft  data.  We  also  confirmed  that  the 
changes  made  by  a  limited  number  of  Central  Human  Resource  people 
who  kept  this  function  are  subject  to  validation  and  review. 

•  The  University  is  developing  security  procedures  to  update  access 
when  people  change  jobs.  The  University  has  implemented  an 
automated  tool  for  removing  roles  when  staff  employment  with  the 


Unsatisfactory 
progress  on 
security  policy  and 
security  design 
framework 


Progress  in  some 
areas 
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University  ends.  However,  further  work  is  required  to  ensure 
contractors  and  other  temporary  users  are  also  promptly  removed. 
Implementation  is  expected  in  September  2009. 
developing  and  implementing  a  security  policy  for  administrative  systems, 
developing  an  effective  process  for  monitoring,  identifying  and  responding 
to  security  threats.  However,  the  standards  for  identifying  and  monitoring 
specific  threats  to  systems — including  PeopleSoft — are  currently  in  draft 
form. 

implementing  an  effective  control  process  to  periodically  re\  iev\  the 
appropriateness  of  user  access  rights.  The  Univ  ersity  completed  a  rev  iew  of 
PeopleSoft  privileged  access  in  January  2009.  The  University  plans  to 
evaluate  and  validate,  and  act  on  issues  from  the  privileged  access  reports 
by  fiscal  2010. 


W  hat  remains 


To  fully  implement  the  recommendation,  the  University  must: 

•  complete  the  development  and  implementation  of  a  comprehensive  security 
policy  and  update  its  PeopleSoft  security  design  framework  accordingly. 

•  complete  the  development  and  implementation  of  well-designed  controls  to 
ensure  that  access  to  PeopleSoft  is  well  controlled  and  that  users  only  have 
the  access  they  need  for  their  job  roles  and  functions. 


Implications  and  risks  if  recommendation  not  implemented 

Weak  access  controls  to  and  within  PeopleSoft  may  result  in  unauthorized 
access  to  confidential  data,  entry  of  unauthorized  transactions,  and  the 
accidental  or  deliberate  destruction  or  alteration  of  data.  Poor  controls  may  also 
allow  the  unauthorized  release  of  confidential  student  or  financial  information. 
Therefore,  the  University  may  not  be  able  to  rely  on  the  completeness,  accuracy 
and  validity  of  the  student  and  financial  data  produced  by  PeopleSoft. 


2.1 .5  Improving  controls  over  journal  entries — recommendation  repeated 
Recommendation 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over 
approvals  and  documentation  for  journal  entries. 


Journals  processed 

throughout 

University 


Background 

Journal  entries  are  processed  at  Financial  Services,  faculties,  departments  and 
business  units.  They  can  be  used  to  record  transactions  not  generated  by  the 
accounting  system,  correct  errors,  and  reclassify  items.  Proper  controls  over 
journal  entries  is  important,  as  they  can  be  used  to  bypass  other  control 
processes. 
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In  our  October  2008  Report  (page  217),  we  recommended  improvements  in 
controls  over  journal  entries.  In  our  2006-2007  Annual  Report  (vol.  2— 
page  17),  we  also  reported  on  management's  investigation  of  journal  entries 
processed  by  a  former  employee  at  Campus  Infrastructure  that  were 
inappropriate.  Last  year,  we  highlighted  the  decentralized  processes  as  a 
contributing  factor  in  failure  of  financial  controls,  inefficient  and  unsustainable 
business  processes,  and  financial  reporting  errors. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  maintain  adequate  controls  to  ensure  journal  entry 
transactions  are  correct  and  are  reviewed,  approved  and  substantiated  by 
sufficient  supporting  documentation. 

Our  audit  findings 

We  repeat  the  recommendation  because  the  University's  progress  remains 
unsatisfactory.  Management  stated  that  they  would  finalize  a  policy,  which  they 
had  drafted  in  January  2008,  by  June  2008.  However,  the  University  missed  this 
deadline  and  has  now  set  a  March  31,  2010  deadline  to  fully  implement  policies 
that  would  apply  to  all  faculties,  departments  and  business  units.  Proper 
controls  over  journal  entries  are  critical,  given  that  journal  entries  can  be  used  to 
conceal  fraudulent  activities. 


Issues  remain 


Inconsistencies  in 
review,  approval 
and  supporting 
documents 


Insufficient 
training 


We  continue  to  see  issues  relating  to  journal  entry  controls.  Here  are  some 
examples: 

•  The  University's  decentralized  environment  lends  itself  to  inconsistencies 
in  practices.  Journal  entries  are  processed  at  Financial  Services  and  in 
faculties,  departments  and  business  units.  Controls  over  journal  entries  vary 
within  each  of  these  groups.  There  is  no  uniform  policy  that  dictates  a 
process  for  approval  and  review  or  identifies  types  of  supporting 
documents  required  before  processing  journal  entries.  Financial  Services 
has  defined  and  enforced  processes  for  journal  entries  at  the  central 
accounting  office.  However,  these  processes  are  not  followed  at  faculties, 
departments  and  business  units. 

•  The  creators  and  approvers  of  journal  entries  may  not  have  sufficient 
financial  statement  knowledge  to  recognize  erroneous  or  fraudulent  journal 
entries.  For  example,  in  one  instance,  the  preparer  made  incorrect  journal 
entries  when  requesting  cash  transfers  from  a  central  department  by 
charging  the  business  unit's  cost  of  sales  account  instead  of  the  unit's  cash 
accounts.  The  reviewer  approved  the  entries  without  noting  the  errors. 


No  central 
monitoring 
function 


Our  observation  is  that  no  single  group  at  the  University  has  taken  the  initiative 
to  improve  the  journal  entry  process.  In  previous  years,  Financial  Services 
commissioned  a  review  of  the  journal  entry  process.  Their  review 
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recommended  several  key  improvements.  Although  Financial  Services 
addressed  some  issues,  their  recommendations  did  not  apply  to  the  University 
as  a  whole. 

Implications  and  risks  if  recommendation  is  not  implemented 

Without  adequate  controls  over  journal  entries,  the  University  may  not  ensure 
that  it  will  detect  inappropriate,  erroneous  or  fraudulent  entries  that  might  cause 
misstatements  in  the  financial  statements  and  undetected  fraud. 

2.1 .6  Improve  controls  over  investments — implemented 
Background 

In  our  October  2008  Report  (page  22 1 ),  we  recommended  that  the  University  of 
Calgary  improve  its  controls  over  transactions  for  investments  it  manages 
internally. 

The  University  has  implemented  this  recommendation.  It  implemented  a  formal 
process  that  requires  the  timely  monitoring  and  approval  of  investment 
transactions.  We  tested  a  sample  of  transactions  and  found  that  the  Treasurer 
and  Director  of  Investments  had  properly  approved  the  transactions. 

2.1 .7  Comply  with  legislation — implemented 
Background 

In  our  October  2008  Report  (page  222),  we  recommended  that  the  University  of 
Calgary  comply  with  the  Post-Secondary  Learning  Actb  by  seeking  approval  of 
the  Lieutenant  Governor  in  Council  before  engaging  in  housing  loan  guarantee 
transactions. 

The  University  sought  the  Lieutenant  Governor's  retroactive  approval  for 
previously  issued  housing  loan  guarantees.  The  Ministry  of  Advanced 
Education  and  Technology  informed  the  University  that  the  Lieutenant 
Governor's  retroactive  approval  of  the  transaction  cannot  be  obtained.  As  a 
result,  the  University  has  suspended  the  program  as  of  June  2008.  Due  to 
contractual  obligations,  the  University  is  not  in  a  position  to  withdraw  from 
guarantees  already  made.  Also,  the  University  plans  to  honour  commitments 
made  in  offer  letters  issued  prior  to  June  2008.  The  University  intends  to  ensure 
future  compliance  with  the  Act. 


New  transaction 
approval  process 
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2. 1.8  Capital  construction  project  management  controls— implemented 
Background 

In  our  J 999-2000  Annual  Report  (page  233),  we  recommended  that  the 
University  of  Calgary  strengthen  its  project  management  controls  over  capital 
construction  projects.  In  2005,  we  assessed  the  progress  and  found  that  the 
University  made  satisfactory  progress  implementing  parts  of  the 
recommendation.  This  year,  our  audit  work  focused  on  the  two  parts  of  the 
recommendation  that  remained  outstanding. 

The  University  implemented  our  recommendation  by  introducing  formal 
processes  for: 

•  reviewing  the  performance  of  employees  who  manage  capital  projects 

•  closing  completed  projects  using  tools  such  as  a  closeout  checklist  and 
project  sponsor  signoff  to  indicate  they  accept  a  project's  constructed  assets 

2.2  University  of  Alberta— Improve  investment  controls— implemented 

In  our  October  2008  Report  (No.  20 — page  21 1),  we  recommended  that  the 
University  of  Alberta: 

•  provide  increased  levels  of  detail  on  investments  to  the  Investment 
Committee  to  facilitate  the  monitoring  of  the  University's  investments 

•  implement  approval  procedures  for  new  investment  vehicles 

The  University  has  implemented  this  recommendation.  It  has  provided  the 
Investment  Committee  with  detailed  lists  of  investments  in  quarterly  reviews 
for  internally  and  externally  managed  investments,  as  well  as  ensuring  additions 
to  the  list  of  approved  securities  are  approved  by  the  Director  and  Treasurer  of 
Financial  Services. 

2.3  University  of  Lethbridge— Improve  the  University's  financial  processes- 
implemented 

In  our  October  2008  Report  (page  223),  we  recommended  that  the  University  of 
Lethbridge  improve  its  year-end  processes  to  ensure  the  preparation  of  complete 
and  accurate  financial  statements. 

The  University  implemented  the  recommendation.  It  hired  a  manager 
responsible  for  financial  reporting.  It  also  purchased  Caseware  software  to 
automatically  produce  the  2008-2009  financial  statements,  schedules  and  lead 
sheet  preparation,  instead  of  the  manual  processes  that  was  followed  in  the 
previous  year.  The  University  reviewed  all  current  and  potential  contractual 
agreements  in  order  to  identify  potential  accounting  issues,  and  reviewed  and 
assessed  the  impact  of  any  new  accounting  pronouncements  that  may  affect  the 
financial  statements. 
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2.4  Information  technology  controls  for  all  universities — progress  report 
Background 

In  our  April  2008  Report  (No.  8 — page  195),  we  recommended  that  the 
Department  of  Advanced  Education  and  Technology  give  guidance  to  public 
post-secondary  institutions  on  using  an  IT  control  framework  to  develop  control 
processes  that  are  well  designed,  efficient,  and  effective. 


Previous  issues 
reported  to 
Department 


Previous  issues  at 
Universities  of 
Calgary  and 
Lethbridae 


In  our  2006-2007  Annual  Report  (vol.  2 — page  10),  we  recommended  that  the 
University  of  Calgary  implement  an  IT  governance  and  control  framew  ork.  Last 
year,  we  rated  the  University's  progress  implementing  this  recommendation  as 
satisfactory.  In  that  same  report.  (No.  21 — page  23).  we  recommended  thai  the 
University  of  Lethbridge  enhance  controls  over  its  information  technology  by 
implementing  an  IT  control  framew  ork. 


Purpose  of  IT 
control  framework 


An  IT  control  framework,  such  as  COBIT  (Control  Objectives  for  Information 
and  Related  Technology),  is  a  means  to  attain  sufficient  and  effective  controls 
over  an  organization's  information  and  the  systems  and  processes  that  create, 
store,  manipulate  and  retrieve  important  data.  Successful  implementation  of  the 
framework  depends  on  support  from  key  officials  such  as  the  President,  Board 
of  Governors  and  the  Chief  Information  Officer  (CIO). 


Purpose  of  IT 
controls 


Well-designed  and  effective  IT  control  processes  developed  through  an  IT 
control  framew  ork  are  the  best  way  to  preserve  the  security  and  integrity  of  an 
organization's  information  and  systems.  A  comprehensive  IT  control 
framework  should  be  a  critical  part  of  the  University's  internal  control  program 
to  mitigate  risks  and  should: 

•  provide  secure  programs  and  sen  ices  to  staff  and  students 

•  protect  the  confidentiality  and  security  of  financial  and  student  information 

•  ensure  that  systems  work  as  expected  and  are  available  when  needed 


New  provincial 
initiative  to 
de\  elop  IT  control 
framework 


Satisfactory 
progress 


Our  audit  findings 

The  Department  started  a  provincial  initiative  to  implement  a  provincial  IT 
control  framework  based  on  COBIT.  The  Institutions  participated  with  the 
Alberta  Association  in  Higher  Education  for  Information  Technology 
(AAHEIT)  to  develop  a  provincial  IT  control  framework  standard  and 
supporting  policies  and  procedures. 

We  followed  up  our  previous  recommendation  at  the: 

•     University  of  Calgary  (2005-2006  Annuo/  Report,  vol.  2 — page  20  and 
2006-2007  Annual  Report,  vol.  2 — page  10) — it  has  fully  implemented 
three  parts,  has  made  satisfactory  progress  on  two  and  less  progress  on  the 
three  other  parts  of  the  original  recommendation.  Overall,  we  concluded 
the  progress  in  implementing  the  recommendation  is  satisfactory. 
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University  of  Lethbridge,  2006-2007  Annual  Report  (No.  21,  vol.  2— 
page  23) — made  satisfactory  progress  implementing  the  recommendation. 
It  drafted,  but  has  not  formally  approved,  a  set  of  IT  policies,  has  made 
significant  improvements  in  how  it  manages  change,  such  as  following  a 
defined  workflow  and  tracking  the  changes  to  Banner,  and  also  hired  IBM 
to  help  implement  Information  Technology  Infrastructure  Library  and  to 
improve  the  University's  processes  for  managing  systems  changes. 


New 

recommendations 
to: 

University  of 
Alberta 


This  year,  we  made  new  recommendations  to  the  University  of  Alberta  and 
Athabasca  University  to  improve  their  IT  controls. 

The  University  of  Alberta  needs  to: 

•  define  and  implement  an  effective  University-wide  IT  governance  program 
for  critical  IT  systems 

•  develop  comprehensive  University-wide  IT  policies,  procedures  and 
standards  to  support  an  IT  strategy  for  its  critical  systems 

•  implement  effective  control  processes  that  ensure  these  policies,  procedures 
and  standards  are  monitored  and  consistently  met  throughout  the  University 

•  develop  a  University-wide  plan  to  implement  well-designed  and  effective 
IT  security  controls  to  support  the  University's  information  security  policy 
framework 


Athabasca  University  needs  to  improve  its  information  technology  control 
framework  by: 

•  performing  annual  risk  assessments  and  implementing  IT  controls  to 
mitigate  identified  risks 

•  implementing  appropriate  security  over  financial  information  and  related 
IT  assets,  including  access  controls 

•  appropriately  managing  changes  to  computer  programs 

We  encourage  universities  and  colleges  to  continue  working  together  and  with 
the  Department  on  the  provincial  initiative. 

2.5  Review  accounting  treatment  for  Universities  Academic  Pension  Plan  for 
all  universities — implemented 

The  Universities  participate,  together  with  the  Banff  Centre,  in  the  Universities 
Academic  Pension  Plan.  UAPP  is  a  registered,  jointly  sponsored  defined-benefit 
pension  plan  that  pays  retirement,  disability,  spousal/survivor  and  termination 
benefits  to  eligible  members  or  their  eligible  survivors.  UAPP's  financial 
statements  of  December  3 1 ,  2008,  reported  an  unfunded  liability  of 
$1,055  billion. 


Athabasca 
University 
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In  our  October  2008  Report  (No.  23-   page  232).  we  recommended  that  the  four 
Alberta  universities  continue  to  work  together — and  with  the  Department  of 
Advanced  Education  and  Technology — to  review  the  accounting  treatment  for 
the  unfunded  liability  of  the  UAPP. 

The  universities  worked  together  and  now  have: 

•  recorded  the  liability  in  their  respective  financial  statements 

•  used  the  same  assumptions  set  by  the  UAPP  Board  of  Trustees  to  value  the 
total  liability 

•  allocated  the  total  liability  to  each  university  based  on  a  percentage  of 
pensionable  earnings 

•  restated  their  previous  year's  balances  based  on  a  change  in  accounting 
policy 

•  presented  the  effect  of  these  changes  similarly  in  the  respective 
universities'  financial  statements 


Universities  now  \ye  agreed  with  the  Universities'  conclusions.  We  audited  the  actuarial 

UAPP  m  ' 01  valuation  of  the  liability,  the  allocation  to  each  university  and  its  presentation  in 

that  university's  financial  statements.  We  are  satisfied  that  the  liability  is  fairly- 
recorded  and  disclosed. 


Financial  statements 

This  chapter  includes  the  results  of  our  March  31,  2009  financial  statement  and 
performance  measures  audits,  which  we  completed  after  our  April  2009  Report,  of 
the  following  organizations: 

•  Ministry  of  Advanced  Education  and  Technology 

•  Department  of  Advance  Education  and  Technology 

•  Access  to  the  Future  Fund 

•  Alberta  Enterprise  Corporation 

•  Four  of  Alberta's  universities 

•  Alberta  Research  Council 

•  iCORE  Inc. 

•  Alberta  Heritage  Foundation  for  Medical  Research 

•  Alberta  Heritage  Foundation  for  Science  and  Engineering  Research 

Our  April  2010  report  will  include  the  results  of  the  financial  statement  audits  of 
public  colleges,  technical  institutions  and  their  related  entities.  These  organizations 
have  a  June  30,  2009  year-end,  and  our  work  will  be  completed  by  November  2009. 
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Unqualified 
auditor's  opinions 


Unqualified 
opinions  for 
universities 


Our  auditor's  opinions  on  the  financial  statements  of  the  Ministry,  Department, 
Alberta  Research  Council,  iCORE  Inc.,  the  Access  to  the  Future  Fund  and  the 
Alberta  Enterprise  Corporation  for  the  year  ended  March  31,  2009,  are  unqualified. 
Our  auditor's  opinions  on  the  financial  statements  of  the  Alberta  Heritage 
Foundation  for  Medical  Research  and  Alberta  Heritage  Foundation  for  Science  and 
Engineering  Research  for  the  year  ended  March  3 1 ,  2009,  are  also  unqualified. 

Our  auditor's  opinions  on  the  financial  statements  for  the  year  ended 
March  31,  2009  of  the  following  universities  are  unqualified: 

•  Athabasca  University 

•  University  of  Alberta 

•  University  of  Calgary 

•  University  of  Lethbridge 


Unqualified 
review 

engagement  report 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Agriculture  and  Rural  Development 

Summary 

The  Department  of  Agriculture  and  Rural  Development  has: 

•  made  satisfactory  progress  implementing  our  2000-2001  recommendation 
relating  to  grant  accountability  systems    see  below 

•  implemented  our  2005-2006  recommendation  to  finish  verifying  eligibility  for 
the  cattle  set  aside  program    see  page  1 68 

•  implemented  our  2003  2004  recommendation  to  complete  a  risk  assessment 
and  develop  a  risk  mitigation  and  response  strategy  based  on  the  risk 
assessment — see  page  168 

Agriculture  Financial  Services  Corporation  (AFSC)  should: 

•  complete  an  IT  risk  assessment    see  page  168 

•  perform  independent  verification  of  cost-effectiveness  of  debt  restructuring 
see  page  1 70 

•  reviews  its  investments  on  a  quarterly  basis — sec  page  1 70 

AFSC  has  implemented  our  2006-2007  recommendation  to  assess  the  risks 
associated  with  wireless  networking  and  improve  controls  for  the  risks  identified 
see  page  1 7 1 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    Department  of  Agriculture  and  Rural  Development 
1.1  Grant  accountability  systems — satisfactory  progress 
Background 

In  our  2000-2001  Annua/  Report  (No.  3 — page  50).  we  recommended  that  the 
Department  evaluate  the  success  of  its  grant  programs  in  meeting  Ministry 
goals.  This  included  evaluating  the  grant  programs  themselves  as  well  as 
individual  grants  within  the  programs. 

In  2004-2005,  we  followed  up  on  our  recommendation  by  examining  nine 
grant  programs  from  the  2003-2004  fiscal  year.  We  found  that  the  Department 
did  not  make  satisfactory  progress  implementing  the  recommendation.  We 
again  recommended  that  the  Department  strengthen  its  grant  management 


Need  to  improve 
grant  systems 
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system  and  evaluate  the  success  of  its  grant  programs1  by  developing  a  system 
to  periodically  evaluate  the  performance  of  its  grant  programs,  establishing 
quantifiable  performance  measures  and  targets  for  its  grant  programs  and 
conducting  post-completion  evaluations  for  individual  grants  awarded. 

Our  objective  this  year  was  to  determine  if  the  Department  has  implemented 
our  recommendation  No.  20  in  our  2004-2005  Annual  Report  on  grant 
accountability. 

We  assessed  the  Department's  progress  against  the  four  criteria  outlined  in  our 
2004-2005  recommendation: 

1 .  to  periodically  evaluate  the  performance  of  its  grant  programs 

2.  to  establish  quantifiable  performance  measures  and  targets  for  its  grant 
programs 

3.  to  conduct  post-completion  evaluations  for  individual  grants  awarded 

4.  to  define  reporting  requirements  for  individual  grants  that  include 
outcomes 


Significant 
improvements  to 
grant  processes 


Our  audit  findings 

The  Department  has  made  satisfactory  progress,  but  has  not  yet  fully 
implemented  our  recommendation  on  evaluating  the  success  of  its  grant 
programs.  Significant  improvements  have  been  made  in  the  areas  of  grant 
program  review,  establishing  performance  indicators,  and  conducting 
post-completion  evaluation  and  defining  reporting  requirements  for  grant 
programs.  In  2008,  the  Department  completed  a  comprehensive  review  of  all 
programs  as  part  of  its  strategy  to  better  position  itself  to  assist  the  industry. 
The  Department  also  began  to  use  a  new  Operational  and  Reporting  System 
(OPAR)  for  a  more  effective  way  to  report  on  its  grant  programs. 


Department 
reviewed  several 
grant  programs 


Periodic  review  of  grant  programs 

We  found  the  Department  took  the  following  steps  in  implementing  our 
recommendation: 

•  In  2006,  the  Department  reviewed  the  processes  and  controls  of  three 
significant  programs — Agriculture  Service  Board  program,  Agriculture 
Initiative  program  and  Agricultural  Society  programs. 

•  In  2008,  the  Department  completed  a  formal  evaluation  of  all  its  grant 
programs  as  part  of  the  2008  restructuring  to  position  itself  to  better  assist 
the  livestock  industry.  The  review  involved  reassessment  of  each  program 
and  its  alignment  with  the  Department's  strategic  objectives,  evaluation  of 
external  and  internal  partners,  and  review  of  the  process  and  outputs  of 
each  grant  program. 


1  2004-2005  Annual  Report  of  the  Auditor  General  of  Alberta,  Recommendation  No.  20 
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Developed 
measures  for  grant 
programs 


Quantifiable  performance  measures  and  targets  for  grant  programs 

We  found  the  Department  took  steps  in  implementing  our  recommendation.  In 
2008,  the  Department  implemented  OPAR    Operational  and  Reporting 
System.  OPAR  is  a  web-based  application,  created  to  facilitate  the  development 
of  a  ministry  operational  plan  and  to  enable  review  of  consistent  sector  and 
division  operational  plans  across  the  ministry.  OPAR  encompasses  the 
strategies  and  performance  measures  contained  in  the  ministry's  business  plan, 
as  well  as  day-to-day  business  activities  and  targets  from  performance  reporting 
criteria.  All  grant  programs  can  be  linked  to  performance  indicators. 


Reporting  systems 
still  being 
implemented 


Our  examination  of  the  system  revealed  that  OPAR  is  not  fully  operational  yet. 
The  divisional  plans  are  still  in  the  process  of  being  finalized  and  keyed  into  the 
system.  The  performance  indicators  report  that  we  re\  iewed  in  July  2009 
included  few  initiatives,  however  no  grant  programs  were  linked  to 
performance  indicators  yet.  The  Department  expects  to  finalize  this  process  at 
the  end  of  September  2009. 


Post  completion 
evaluation  done 


Post-completion  evaluation 

In  2008-2009,  we  examined  a  sample  of  30  grants  covering  20  programs  to  test 
whether  a  post-completion  evaluation  is  completed  on  a  timely  basis.  We  found 
that  20  of  30  grants  had  post-completion  evaluations  in  place.  For  the  remaining 
10  grants,  post-completion  evaluations  were  not  applicable  due  to  timing  or 
because  they  were  deemed  to  be  insignificant.  Steps  are  taken  to  develop 
post-completion  evaluation  for  all  new  grant  programs. 


Monitoring  of 
program  outcomes 


Reporting  requirements  to  include  outcomes 

Our  examination  of  30  grants  covering  20  programs  from  the  2008-2009  year 
revealed  that  18  of  20  grant  programs  did  have  a  monitoring  process  in  place. 
The  remaining  two  grants  were  introduced  in  2008  2009  and  the  amounts  were 
not  significant.  Through  a  centralized  approach  in  Financial  Advisory  Sen  ices, 
the  Department  is  continuously  revising  the  monitoring  system  to  ensure  thai  all 
grants  include  strict  reporting  requirements  based  on  specific  outcomes. 


What  remains  to 
be  done 


To  fully  implement  this  recommendation  the  Department  needs  to: 

•  develop  a  systematic  process  to  periodically  evaluate  its  grant  programs 

•  assign  performance  indicators  or  other  measurable  outcomes  to  grant 
programs 
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Assessed  program 
compliance  and 
potential 
overpayments 


Risks  identified 
and  assessed 


Plans  to  integrate 
risk  assessment 
with  business  plan 


1 .2  Verifying  eligibility  for  Cattle  Set  Aside  program— implemented 

In  our  2005-2006  Annual  Report  (vol.  2— page  40),  we  recommended  that  the 
Department  finish  verifying  if  participants  complied  with  the  time  requirements 
of  the  Canada  Alberta  Fed  Cattle  Set  Aside  program  and  decide  if  further 
action  is  necessary. 

The  Department  used  a  risk-based  approach  to  assess  participants'  compliance 
with  program  requirements.  The  Department  identified  possible  non-compliant 
tags  and  estimated  the  potential  overpayments  to  participants.  The  overall 
results  were  that  the  maximum  possible  overpayment  was  not  significant,  so  the 
Department  decided  not  to  pursue  with  further  investigation.  We  agree  with  the 
Department's  assessment  and  conclude  that  this  recommendation  has  been 
implemented. 

1.3  Risk  assessment — implemented 

In  our  2003-2004  Annual  Report  (No.  3— page  80),  we  recommended  that  the 
Department  complete  a  risk  assessment  that  analyzes  the  probability  and  impact 
of  major  risks  to  the  agriculture  and  Agri-food  industry  in  Alberta.  We  also 
recommended  that  the  Department  develop  risk  mitigation  and  response 
strategies  based  on  the  risk  assessment. 

The  Department  has  implemented  this  recommendation  by  establishing  a  risk 
assessment  framework  that  identifies  the  key  risks  facing  the  Department  in 
achieving  its  goals,  objectives  and  strategies.  The  Department  also  assessed  the 
risks  in  terms  of  likelihood  and  potential  impact  and  developed  an  approach  to 
monitor  and  manage  each  key  risk. 

The  Department  plans  to  periodically  update  the  risks  management  process  and 
closely  monitor  the  risks  identified.  The  Department  plans  to  integrate  the 
enterprise  risk  management  process  into  the  business  planning  process.  A 
reporting  system  will  be  fully  operational  in  2009-2010  to  link  the  risks 
identified  to  the  strategic  and  operational  indicators. 

2.   Agriculture  Financial  Services  Corporation 
2.1  IT  risk  assessment  and  control  framework 
Recommendation 

We  recommend  that  Agriculture  Financial  Services  Corporation: 

•  complete  an  Information  Technology  (IT)  risk  assessment  to  identify 
and  rank  the  risks  within  its  computing  environment,  linking  to 
business  objectives;  and 

•  design  and  implement  IT  controls  to  mitigate  the  risks  it  identifies. 
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Background 

A  risk  assessment  identities  and  ranks  risks  based  on  their  likelihood  and 
impact.  Once  risks  arc  identified  and  ranked,  it  is  easier  to  decide  what  IT 
control  activities  to  implement  to  protect  important  financial  and  business 
systems  and  data  against  these  risks,  and  what  risks  to  accept  if  they  can't  be 
mitigated. 

An  IT  control  framework,  such  as  Control  Objectives  for  Information  and 
related  Technology  (COBIT),  can  be  utilized  to  bridge  the  gap  between  control 
requirements,  technical  issues,  and  business  risks.  It  gives  senior  management 
and  IT  users  generally  accepted  measures,  indicators,  processes  and  best 
practices  to  maximize  IT  benefits  and  minimize  risks. 

Criteria:  the  standards  we  used  for  our  audit 

Alberta  Financial  Services  Corporation  should: 

•  have  an  IT  risk  assessment  strategy  and  regularly  identify  and  assess  its 
risks,  and  define  a  process  to  accept  risks  that  IT  controls  cannot  efficiently 
or  effectively  mitigate 

•  design  and  implement  appropriate  and  effective  IT  controls  to  mitigate  the 
identified  risks 


Need  to  link  risk 
assessment  to 
business 
objectives 


Our  audit  findings 

AFSC  has  not  fully  implemented  their  formal  risk  assessment  framework. 
AFSC's  IT  team  has  completed  an  initial,  high-level  risk  assessment,  but  only 
from  an  IT  perspective  without  a  formal  link  back  to  AFSC's  business 
objectives.  The  IT  team  has  also  developed  a  matrix  of  their  identified  risks, 
and  have  ranked  these  risks  based  on  severity  and  criticality.  But.  they  haven't 
conducted  a  detailed  risk  analysis  or  created  a  roadmap  to  resolve  the  identified 
risks. 


Need  action  plan 
to  resolve  risks 


To  fully  implement  this  control,  AFSC  should  continue  pursuing  the  objectives 
outlined  in  its  Information  Risk  Assessment  Project  Charter  and  fully  document 
the  activities  required  to  complete  the  third  milestone — an  action  plan  for 
addressing  risk. 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  IT  risk  assessment,  AFSC  may  not  be  able  to  rely  on  the 
completeness,  accuracy,  availability  or  validity  of  its  financial  information. 
Confidential  financial  information  may  be  used  or  disclosed  in  a  way  that  leads 
to  fraud,  loss  of  money  or  reputation. 
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2.2  Note  payable  repurchase 
Recommendation 

We  recommend  that  Agriculture  Financial  Service  Corporation  perform 
an  analysis  on  debt  restructuring  to  verify  cost  effectiveness  and  confirm 
alignment  with  its  overall  cash  management  objectives. 

Background 

In  August  2008,  Alberta  Finance  communicated  to  AFSC  the  opportunity  to 
repurchase  $67  million,  5.93%  bonds  payable  due  September  2016  and  replace 
it  with  $75  million,  3.25%  bonds  payable  due  March  201 1.  Alberta  Finance 
stated  that  this  repurchase  would  save  AFSC  approximately  $480,000. 

Criteria:  the  standards  we  used  for  our  audit 

Agriculture  Financial  Services  Corporation  should  perform  their  own  internal 
analysis  of  debt  restructuring  to  ensure  that  it  is  cost  effective  and  that  it  aligns 
with  AFSC's  overall  cash  management  objective. 


Our  audit  findings 

Agriculture  Financial  Services  Corporation  did  not  perform  its  own  analysis  of 
the  debt  restructuring  opportunity  identified  by  Alberta  Finance  to  verify  cost 
effectiveness.  Also,  AFSC  did  not  ensure  the  results  of  the  transaction  aligned 
with  its  overall  cash  management  objectives. 

Implication  and  risks  if  recommendation  not  implemented 

Agriculture  Financial  Services  Corporation  may  make  some  decisions  that  are 
not  cost  effective  or  not  aligned  with  its  cash  management  policy  and  strategy. 

2.3  Investment  portfolio  analysis 
Recommendation 

We  recommend  that  Agriculture  Financial  Services  Corporation  perform 
a  quarterly  review  of  the  market  value  of  its  investment  portfolio. 

Background 

The  investment  portfolio  of  AFSC  is  managed  by  Alberta  Investment 
Management  Company  (AIMCo).  AIMCo  submits  monthly  portfolio  reports  to 
AFSC  detailing  AFSC's  investment  portfolio  by  individual  holdings  (bonds, 
securities  and  asset-backed  securities).  This  report  provides  information  on  the 
performance  of  AFSC's  investments  by  comparing  market  value  to  book  value. 


Need  to  verify 
cost  savings  on 
debt  restructuring 
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Criteria:  the  standards  we  used  for  our  audit 

Agriculture  Financial  Services  Corporation  should  periodically  re\  iew  the  fair 
value  of  its  investment  portfolio  by  financial  instrument  to  determine  whether  a 
write-down  is  required.  The  following  criteria  may  be  incorporated  in  the 
analysis: 

•  if  there  is  a  loss  in  value  of  a  portfolio  investment  that  is  other  than  a 
temporary 

•  if  there  is  management  intention  to  trade  or  liquidate  the  security 

•  if  the  decrease  in  the  market  value  compared  to  the  carrying  \  alue  is 
over  20% 

Our  audit  findings 

Agriculture  Financial  Services  Corporation  does  not  have  a  regular  process  to 
analyze  the  performance  of  its  portfolio  investments  to  verify  valuation  and 
determine  whether  a  write-down  from  book  value  to  market  value  is  required.  A 
review  should  be  conducted  on  a  quarterly  basis  and  any  required  write-downs 
should  be  recorded  immediately. 

Implication  and  risks  if  recommendation  not  implemented 

Agriculture  Financial  Services  Corporation  may  fail  to  recognize  a  write-dow  n 
of  its  investments  in  the  proper  period. 

2.4  Wireless  technology — implemented 

In  our  2006-2007  Annual  Report  (vol.  2 — page  32),  we  recommended  that  the 
Agriculture  Financial  Services  Corporation  assess  the  risks  associated  with 
wireless  networking  and  implement  policies  and  improve  controls  for  the  risks 
identified. 

Agriculture  Financial  Services  Corporation  has  implemented  this 
recommendation  by  developing  and  implementing  procedures  to  manage  the 
use  of  wireless  technology  in  its  computing  environment.  AFSC  now  conducts 
regular  scans  to  identify  unauthorized  wireless  access  points.  Scan  results  are 
documented,  unknown  access  points  are  further  investigated  and  disabled  if 
they  are  found  to  be  unauthorized. 


No  regular  process 
to  assess 

investment  values 


Monitors  and 
investigates  use  of 
wireless 
technology 
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Financial  statements 

Unqualified  Our  auditor's  opinion  on  the  Ministry  and  Department's  financial  statements  for  the 

auditor's  opinions     ^  ended  March  3  ,  ?  2QQ9  ^  unqualified> 

Our  auditor's  opinion  on  the  Agriculture  Financial  Services  Corporation's  financial 
statements  for  the  year  ended  March  3 1 ,  2009  is  unqualified. 

We  issued  unqualified  auditor's  opinions  on  the  reconciliations  of  administration 
costs  and  program  payments  for  the  Canadian  Agricultural  Income  Stabilization  and 
AgriStability  Programs  for  all  program  years  ended  March  31,  2009. 

Performance  measures 

Unqualified  jne  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

review  2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 

engagement  report 

these  measures. 


I  Report  of  the  Auditor  General  of  Alberta 

72  October  2009 


Financial  Statement  and  Other  Assurance  Audits 


Children  and  Youth  Services 


Children  and  Youth  Services 

Our  audit  findings  and  recommendations 

Contract  management  systems — implemented 

In  2001  2002  (No.  8 — page  53),  we  recommended  that  the  Ministry  strengthen  the 
process  used  to  award  and  manage  contracts.  In  2004  2005  and  2007  2008.  we 
followed  up  and  concluded  that  the  Ministry  had  made  satisfactory  progress  in 
awarding  contracts,  but  needed  to  periodically  evaluate  contractors'  performance. 

Management  implemented  our  recommendation  by  completing  contractors" 
assessment  forms  for  each  contract  that  has  been  completed. 

Past  For  any  outstanding  recommendations  previously  made  to  the  organizations  that 

recommen  a  ions     form  me  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Financial  statements 

Unqualified  Qur  auditor'  s  opinions  on  the  Ministry  and  Department  of  C  hildren  and  Youth 

au  i  oi  s  opinions    servjceSi  an(j  ten  Child  and  Family  Services  Authorities  for  the  year  ended 
March  31,  2009  are  unqualified. 

Performance  measures 

Unqualified  j^q  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 


review 

engagement  report 


these  measures. 
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Culture  and  Community  Spirit 

Past  For  any  outstanding  recommendations  previously  made  to  the  organizations  that 

recommendations     form  tric  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  financial  statements  of  the  Ministry.  Department  and 

auditor  s  opinions    ^e  f0j]owjng  sjx  provincial  agencies  for  the  year  ended  March  3 1 .  2009  are 
unqualified: 

Alberta  Foundation  for  the  Arts 
Alberta  Historical  Resources  Foundation 
Government  House  Foundation 
Historic  Resources  Fund 

Human  Rights,  Citizenship  and  Multiculturalism  Education  Fund 
Wild  Rose  Foundation 

Performance  measures 

Unqualified  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

revievv  .  .  2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
engagement  report  r  "  &  &  r 

these  measures. 
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Education 

Summary 

The  Department  of  Education  implemented  our  recommendation  relating  to  savings 
generated  by  the  Learning  Resource  Centre    see  below  . 

For  any  outstanding  recommendations  prev  iously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

Savings  generated  by  the  Learning  Resource  Centre — implemented 

In  our  2004-2005  Annua/  Report  (No.  27 — page  157),  we  recommended  that  the 
Department  of  Education  implement  a  system  to  periodically  evaluate  the  savings 
generated  by  the  Learning  Resources  Centre. 

The  Department  completed  its  evaluation  of  cost  savings  provided  to  school 
jurisdictions  by  analyzing  over  200  invoices  generated  by  the  Centre  between 
April  1 ,  2007  and  March  3 1 ,  2008.  The  Department  extrapolated  these  results  to  all 
sales  for  that  year. 

Savings  achieved  The  analysis  estimated  that  school  jurisdictions  saved  $2.9  million  by  buying 
learning  resources  from  the  Learning  Resources  Centre  as  compared  to  direct 
purchases  from  the  publishers. 

Operating  costs       After  including  the  costs  of  operating  the  Centre,  such  as  costs  of  supporting 

infrastructure,  the  Department  concluded  that  the  Centre  provides  a  net  sa\  ing  of 
$2.3  million  to  the  K-12  sector.  The  Department  also  evaluated  the  effect  of  other 
Ministry  initiatives  the  Centre  is  involved  in,  such  as  negotiating  standing  offers  that 
allow  school  jurisdictions  to  purchase  computer  hardware  and  software  at  lower 
prices,  and  providing  specialized  services  for  the  visually  impaired.  The  Department 
plans  to  evaluate  the  savings  generated  by  the  Centre  every  three  years. 


Assessment 
methodology 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  financial  statements  of  the  Ministry,  Department,  and 

the  Alberta  School  Foundation  Fund  for  the  year  ended  March  3 1 .  2009  are 
unqualified. 


auditor's  opinions 
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Performance  measures 

Unqualified  jhe  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

review  ^008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 

engagement  report 

these  measures. 
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Employment  and  Immigration 

Summary 

We  examined  the  Department's  systems  for  delivering  the  Homeless  Eviction 
Program  (HEP)  Fund.  The  HEP  Fund  has  been  discontinued,  but  we  have  made  the 
following  recommendations  that  are  applicable  to  ongoing  programs  of  the 
Department: 

•  the  Department  should  improve  the  processes  of  its  fraud  investigation  units  by 
defining  clear  objectives  and  establishing  criteria  for  its  investigations — see 
page  186 

•  the  Department  should  improve  plans  and  set  timelines  for  resoh  ing 
non-compliance  matters  and  reducing  the  types  of  errors  identified  b\  its 
internal  auditors — see  page  189 

The  Department  has  implemented  our  recommendation  to  improve  its  capital  asset 
policy  and  procedures — see  page  190 

Our  previous  recommendation  to  improve  controls  to  prevent  duplicate  Income 
Support  payments  is  no  longer  valid  due  to  changed  circumstances    see  page  190 

The  Workers'  Compensation  Board  should: 

•  assess  whether  it  is  conducting  sufficient  claims  audits  each  year    see  page  1 9 1 

•  formalize  its  information  technology  security  monitoring  procedures 
see  page  1 92 

WCB  has  implemented  our  October  2008  recommendation  to  enforce  procedures 
and  guidelines  for  its  purchasing  card  program — see  page  193 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    Department  of  Employment  and  Immigration 
1.1  Homeless  and  Eviction  Prevention  Fund 
What  we  examined 

We  examined  the  Department  of  Employment  and  Immigration's  systems  to 
assess  the  eligibility  of  applicants  to  the  HEP  Fund,  ensure  HEP  funds  are  paid 
in  accordance  with  its  policies  and  procedures,  and  identify  and  deal  with 
suspected  abuse  of  the  HEP  Fund. 
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HEP  Fund 
introduced  in  2007 
and  discontinued 
in  2009 


The  Department  introduced  the  HEP  Fund  in  May  2007  to  provide  short-term 
relief  to  prevent  homelessness.  Since  then  the  HEP  Fund  evolved  in  part  to  an 
ongoing  rent  supplement.  Payments  during  2007  totaled  $47  million.  In 
2008-2009,  the  Department  issued  $76  million  in  HEP  Fund  payments.  The 
Government  of  Alberta  discontinued  the  HEP  Fund  in  April  2009,  and  replaced 
it  with  the  direct  rent  supplement  delivered  by  management  bodies  through  the 
Ministry  of  Housing  and  Urban  Affairs.  The  Department  continues  to 
administer  emergency  damage  deposit  and  eviction  prevention  through  its 
Income  Support  program. 

Why  it  is  important  to  Albertans 

Albertans  want  to  be  confident  that  emergency  programs  such  as  HEP  provide 
funds  to  only  those  for  whom  the  programs  are  designed.  Further,  Albertans 
expect  that  the  Department  will  identify  and  appropriately  deal  with  any  abuses 
of  public  resources. 


Policies  were  not 
always  followed 


No  new  staff  hired 
for  program 


Segregation  of 
duties  was  weak 


What  we  found 

The  Department  had  systems  and  resources  to  assess  an  applicant's  eligibility, 
manage  payments  and  deal  with  cases  of  suspected  abuse  under  the  HEP  Fund. 
However,  we  found  that  policies  were  not  always  followed  and  that  some 
processes  could  be  improved. 

The  following  observations  are  specific  to  our  audit  of  the  HEP  Fund,  which 
has  been  discontinued.  Therefore,  these  observations  did  not  result  in 
recommendations.  Nevertheless,  these  observations  may  be  applicable  to  future 
programs  launched  under  similar  circumstances.  Following  these  observations 
about  the  HEP  Fund,  we  make  two  recommendations  about  the  Department's 
operations. 

The  Department  staff  who  administered  the  HEP  Fund  Program: 

•  used  existing  information  systems  effectively  to  process  payments. 
Management  informed  us  that  no  new  staff  were  hired  to  administer  the 
program. 

•  did  not  always  follow  Department  policy  when  determining  eligibility  for 
HEP  Fund  benefits.  In  some  cases,  staff  approved  applications  and  made 
payments  without  adequate  documentation  evident  on  files. 

•  did  not  use  a  payment  system  that  segregated  their  duties  for  processing 
one-time  HEP  Fund  payments.  Without  other  compensating  internal 
controls,  a  fraudulent  payment  could  have  been  generated. 
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Investigation  units 
need  bet  1  er 
guidelines 


Internal  audits 
again  found  lack 
of  support 


Augment  random 
sampling 


The  following  observations  are  the  subject  of  our  recommendations  in  this 
report.  The  Department: 

•  has  a  mechanism  to  deal  with  suspected  cases  of  fraud  and  abuse. 
However,  the  Department  lacks  clearly  defined  guidelines  for  its 
investigation  units  and  lacks  criteria  for  determining  when  to  pursue  a 
fraud  case. 

•  conducted  an  internal  audit  in  September  2007  in  response  to  alleged  fraud 
by  HEP  Fund  recipients.  One  of  the  key  findings  from  this  audit  was  the 
lack  of  support  documentation  in  51  out  of  239  files  sampled.  In 
January  2009.  internal  audit  found  similar  results  in  a  second  audit. 

•  conducts  home  visits  using  randomly  selected  samples.  The  Department 
does  not  augment  this  methodology  with  samples  based  on  potential  risk  or 
unusual  circumstances. 


Guidance  needed 
for  investigative 
units 


Responding  to 
internal  audit 
findings 


What  needs  to  be  done 

Although  we  make  no  recommendations  about  the  HEP  Fund,  some  of  our 
findings  apply  as  well  to  other  operations  of  the  Department.  Accordingly,  we 
identified  two  areas  where  we  believe  the  Department  could  improve  its 
processes: 

•  The  Department  should  improve  the  processes  of  its  investigation  units  by 
defining  clear  objectives  and  establishing  criteria  for  determining  when  to 
undertake  a  full  fraud  investigation.  The  Department  should  also  develop 
fraud-specific  training  programs  for  investigative  staff. 

•  The  Department  should  develop  detailed  plans  and  set  timelines  for 
reducing  types  of  errors  and  resolving  non-compliance  matters  identified 
during  internal  audits.  The  Department  should  also  develop  a  risk-based 
approach  to  select  samples  for  internal  audit  and  for  random  home  visits  by 
the  investigation  unit. 


Audit  objectives  and  scope 

The  objectives  of  this  audit  were  to  determine  if  the  Department  had  systems  to: 

•  assess  the  eligibility  of  HEP  Fund  applicants 

•  ensure  that  staff  made  HEP  Fund  payments  in  accordance  with  its  policies 
and  procedures 

•  identify  and  deal  with  suspected  abuse  of  the  HEP  Fund 

To  perform  the  audit  we: 

•  examined  policy  and  procedures 

•  examined  processes  and  files  at  two  service  centres:  one  urban  and  one 
rural 

•  examined  processes  and  files  at  two  fraud  investigation  units:  one  urban 
and  one  rural 

•  interviewed  staff  at  these  regional  offices  and  fraud  investigation  units 
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Assistance  to 
Albertans  in  need 


Internal  audit 
conducted  in  2007 


•     assessed  the  processes  internal  audit  uses  to  conduct  ongoing  investigations 
of  the  program 

Background 

In  2007,  the  Alberta  Affordable  Housing  Task  Force  recommended  introducing 
a  Homeless  and  Eviction  Prevention  Fund  to  assist  low-income  Albertans  who 
were  at  risk  of  losing  their  homes  due  to  rent  increases  or  rent  arrears,  as  well  as 
to  help  those  who  needed  support  to  establish  a  new  residence. 

The  Department  of  Employment  and  Immigration  began  delivering  the 
HEP  Fund  program  on  behalf  of  the  (then)  Ministry  of  Municipal  Affairs  and 
Housing  on  May  11,  2007. 

In  2007,  the  media  reported  allegations  that  individuals  were  abusing  the 
HEP  Fund  by  presenting  inadequate  and  fraudulent  documentation  for  rent 
increases,  eviction  notices  and  utility  arrears,  and  that  Department  staff  were 
not  taking  sufficient  steps  to  verify  the  authenticity  of  claims.  On  July  18,  2007, 
the  (then)  Minister  of  Employment,  Immigration  and  Industry  asked  the 
Department's  internal  auditors  to  review  the  administration  of  the  HEP  Fund  to 
ensure  accountability  for  the  program's  procedures. 


Payments  to 
renters  increased 


Cap  placed  on  rent 
subsidy 


HEP  Fund  program 

Albertans  who  were  18  years  old  or  over,  at  risk  of  being  homeless,  and  without 
available  financial  assets,  could  apply  for  assistance  from  the  HEP  Fund.  In 
2007-2008,  the  Department  issued  $47  million  in  payments  under  this  program. 
Payments  for  2008-2009  were  $76  million. 

Assistance  under  this  program  included  the  payment  of  rent  arrears,  rent 
shortfall  or  funds  for  new  residents  to  establish  a  rental  residence  in  Alberta. 
Caseworkers  at  the  Department's  regional  offices  assessed  whether  an  applicant 
was  eligible  to  receive  HEP  Fund  assistance.  The  Department  did  not  hire 
additional  caseworkers  or  other  staff  to  administer  this  program. 

In  July  2008,  the  Department  issued  direction  that  rent  shortfall  payments  were 
not  a  core  benefit  and  were  therefore,  not  to  be  used  in  determining  someone's 
eligibility  for  Income  Support.  Management  developed  other  policies  such  as 
not  requiring  recipients  to  reapply  for  ongoing  rent  supplement  payments,  but 
still  requiring  them  to  maintain  contact  with  their  caseworker. 

In  November  2008,  management  introduced  a  limit  of  $1,000  on  payments  that 
staff  could  make  without  supervisory  approval.  Management  also  set  a 
maximum  limit  on  how  much  rent  subsidy  could  be  paid.  This  amount  was 
based  on  average  published  rents  in  an  area.  Before  this,  the  full  amount  of  the 
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Program  became 
an  ongoing 
supplement 


applicant's  rent  could  be  used  to  calculate  the  subsidy.  The  rent  subsidy  was 
also  reduced  by  the  amount  of  direct  rent  supplement  that  an  applicant  would  be 
eligible  for  through  other  programs,  based  on  the  applicant's  income. 

The  HEP  Fund  was  initially  established  to  provide  short-term  relief  to 
Albcrtans  at  risk  of  becoming  homeless.  However,  in  substance  it  appears  to 
have  evolved  into  an  ongoing  supplement  for  Albcrtans  who  had  recurring 
problems  with  making  their  monthly  rent  payments. 

HEP  Fund  discontinued 

The  Department  discontinued  the  HEP  Fund  in  April  2009.  and  replaced  it  with 
the  direct  rent  supplement  delivered  by  management  bodies  through  the 
Ministry  of  Housing  and  Urban  Affairs.  The  Department  continues  to  prov  ide 
emergency  damage  deposit  and  eviction  funds  within  its  Income  Support 
program. 

Observations  on  the  HEP  Fund 

We  made  the  following  observations  during  our  audit.  Due  to  the 
discontinuation  of  the  HHP  program,  these  observations  do  not  include 
recommendations  for  improvement.  Nevertheless,  we  pro\  ide  the  observations 
for  management  to  consider  in  the  event  the  Department  launches  a  similar 
program  in  the  future. 


No  new  staff  hired 


Using  existing  staffing  and  resources 

The  Department  informed  us  that  they  did  not  hire  any  additional  staff  to 
administer  this  program.  The  Department  effectively  used  its  existing 
information  systems  to  process  payments  and  developed  separate  data  input 
codes  to  separate  HEP  benefits  from  other  payments. 


Caseworkers  who  suspected  abuse  of  the  HEP  Fund  advised  the  Department's 
fraud  investigation  unit  of  their  concerns. 


Investigators 
follow  up  on 
suspected  abuses 


Investigations 

The  Department's  fraud  investigation  units  follow  up  suspected  program  abuse 
based  on  complaints  from  caseworkers  or  information  provided  by  the  public. 
All  investigators  are  peace  officers  with  the  authority  to  lay  fraud  charges  under 
the  Criminal  C  'ode  and  gather  evidence  through  such  channels  as  seeking  a 
production  order. 


1  R.S.C  1985.C.C-46 

2  Under  Section  487.012  of  the  Criminal  Code,  this  is  an  order  by  a  justice  or  judge  to  a  person,  other  than  a  person  under 
investigation,  to  produce  or  prepare  certain  documents  within  a  time  frame  as  specified  in  the  Order. 

Report  of  the  Auditor  General  of  Alberta 
October  2009 


183 


Financial  Statement  and  Other  Assurance  Audits 


Employment  and  Immigration 


Investigators  also  conduct  onsite  visits  to  verify  information  provided  by 
benefit  recipients  or  to  follow  up  on  suspected  cases  of  financial  abuse.  The 
Edmonton  Investigation  and  Review  Unit  also  initiates  and  conducts  random 
onsite  visits  to  verify  occupancy  and  landlord  information  contained  in  selected 
case  files. 

Internal  audit 

In  September  2007,  the  Department  completed  its  internal  audit  on  the 

HEP  Fund  and  issued  a  report.  To  improve  processes,  the  report  recommended, 

and  management  agreed,  the  Department  should: 

•  obtain  adequate  documentation  from  applicants 

•  issue  new  directives  to  clarify  how  staff  should  coordinate  benefits 

•  conduct  random  checks  on  recipients"  rental  accommodation 

•  implement  a  process  to  ensure  that  applicants  are  not  also  receiving  other 
rent  supplement  benefits  such  as  the  direct  rent  supplement  program 
administered  by  Housing  and  Urban  Affairs 

•  develop  a  separate  recovery  process  for  HEP  Fund  overpayments 

Evolution  of  the  program 

The  HEP  Fund  was  intended  as  short-term  support  to  provide  emergency  relief 
to  Albertans  who  faced  eviction  or  homelessness.  Initially,  management 
provided  staff  with  relatively  simple  guidelines  on  how  to  deliver  the  program. 

In  September  2007,  an  internal  audit  recommended  that  the  Department  clarify 
how  staff  should  coordinate  benefits  between  the  Department's  Income  Support 
and  HEP  programs.  Internal  audit  identified  that  the  Department  needed  clearer 
procedures  to  allow  staff  to  confidently  determine  which  of  the  two  programs 
should  assist  the  applicant. 

Ensuring  staff  follow  policies  and  gather  adequate  information  from 
applicants 

Department  policies  require  staff  to  obtain  proper  documents  to  support 
applications  before  making  payments.  This  policy  was  not  consistently 
followed. 

To  obtain  HEP  Fund  benefits,  applicants  were  required  to  provide  support 
documentation,  such  as: 

•  personal  identification 

•  confirmation  from  a  landlord  indicating  significant  rent  arrears  or  an 
eviction  notice 

•  confirmation  that  the  applicant  did  not  have  sufficient  financial  resources 
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No  evidence  that 
staff  obtained 
required 
documentation 


Key  to  this  application  process  was  that  applicants  must  establish  their  identity. 
In  25  out  of  50  tiles  we  examined,  there  was  no  evidence  in  the  case  file  that  the 
caseworkers  obtained  the  identification  required  by  the  Department's  policy. 


The  amount  of  the  eviction  benefit  payment  was  based  on  the  amount  of  arrears 
stated  in  an  applicant's  eviction  notice.  In  six  out  of  24  files  we  examined  for 
which  the  Department  paid  an  initial  eviction  benefit,  there  was  no  eviction 
notice  in  the  file  to  support  the  payment. 


Risk  of  paying 
excess  funds 


Case  files  did  not  demonstrate  that  the  Department  gathered  adequate 
information  from  applicants.  For  example,  the  Department  did  not  require 
independent  documentation  of  a  request  for  a  new  resident  benefit,  such  as  a 
copy  of  a  proposed  lease,  proposed  rent  charges  or  a  tenancy  agreement.  We 
also  found  that  in  five  out  of  39  files  reviewed  for  which  the  Department  paid  a 
new  resident  benefit,  there  was  no  documentation  to  substantiate  the  amount 
requested. 

Without  full,  relevant  and  pertinent  information  from  the  applicant,  and  without 
documentation  to  support  the  amount  paid,  the  Department  might  be  paying 
excess  funds.  For  example,  recipients  might  hav  e  receiv  ed  benefits  for  which 
they  were  not  eligible  or  might  have  received  payments  in  amounts  that  were 
incorrect. 


Payments  could 
be  processed 
without 
supervisory 
approval 


Risk  of  fraud  from 
lack  of 

segregation  of 
duties 


Designing  adequate  internal  controls 

The  Department  required  that  a  supervisor  review  all  payments  over  SI  .000. 
However,  the  automated  payment  system  did  not  support  this  policy:  staff  w  ere 
able  to  process  and  make  payments  without  supervisory  approval. 

A  HEP  Fund  applicant  who  was  not  on  Income  Support  w  as  required  to  meet 
with  a  Career  and  Employment  Consultant.  These  applicants  may  only  have 
needed  to  access  the  HEP  Fund  once.  From  July  2007  to  December  2008,  the 
Department  issued  $18.3  million  in  payment  to  applicants  w  ho  were  one-time 
HEP  Fund  recipients.  Each  Career  and  Employment  Consultant  would  be 
responsible  for: 

•  assessing  the  applicant's  initial  eligibility 

•  processing  and  approv  ing  the  application  for  HEP  assistance 

•  ensuring  the  applicant  provided  all  required  supporting  documentation 

•  initiating  a  payment  using  the  Local  Income  Support  Application  s\  stem 

•  closing  the  applicant's  file 


Files  were  not  reviewed  by  a  second  party  before  the  Department  issued 
payment  or  before  the  Career  and  Employment  Consultant  closed  the  file. 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


1 


Financial  Statement  and  Other  Assurance  Audits 


Employment  and  Immigration 


No  evidence  stall 

misappropriated 

funds 


ln\  estigative  units 
in  six  regions 


Several  ways  a 
case  can  be 
concluded 


Dealing  with  Fund 
abuse 


We  found  no  evidence  of  funds  misappropriated  due  to  this  lack  of  segregation 
of  duties.  However,  there  was  increased  risk  to  the  Department.  Employees 
have  opportunities  to  generate  fraudulent  payments  if  there  are  no  preventative 
controls  in  place.  Controls  such  as  segregation  of  duties  would  mitigate  the 
risks  of  having  the  same  person  assess  an  applicant's  needs,  initiate  and  process 
the  payment,  and  then  subsequently  close  the  file. 

Recommendations 

1.1.1  Fraud  investigation  processes 

Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration 
improve  the  processes  of  its  investigation  units  by: 

•  defining  clear  objectives  for  investigation  units 

•  establishing  guidelines  for  determining  when  they  should  undertake  a 
fraud  investigation 

•  providing  fraud-specific  training  for  investigation  unit  staff 

Background 

The  Department  has  investigation  units  in  each  of  its  six  regions.  These  units 
initiate  investigations  when  they  receive  complaints  from  Department 
caseworkers  or  information  from  members  of  the  public.  The  Edmonton  unit 
has  four  investigators  assigned  to  HEP  Fund  cases.  They  had  approximately 
80  open  HEP  Fund  investigations  files  at  the  time  of  our  audit.  Two 
investigators  in  the  Central  Region  had  12  HEP  Fund  cases  in  their  caseload.  In 
addition  to  HEP  cases,  these  units  investigate  alleged  abuses  of  other 
Departmental  programs.  An  investigation  that  results  in  enough  evidence  to  lay 
fraud  charges  can  take  months  to  complete. 

An  investigation  may  be  concluded,  and  the  file  closed,  if: 

•  there  was  no  proven  abuse  of  funds 

•  evidence  of  abuse  was  found,  but  it  was  insufficient  to  pursue  criminal 
charges 

•  the  dollar  amount  involved  was  materially  insignificant  to  pursue  criminal 
charges 

•  there  was  enough  evidence  to  pursue  criminal  charges,  but  other 
circumstances  resulted  in  a  decision  not  to  follow  this  course  of  action 

•  enough  evidence  of  fraud  was  found  and  prosecution  was  pursued 

The  Department  has  several  courses  of  action  available  to  deal  with  misuse  of 
the  Fund.  Depending  on  the  evidence  available,  the  Department  can: 

•  request  repayment  of  the  funds  by  assessing  an  overpayment  or  entering 
into  a  repayment  agreement 
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•  recommend  to  the  Crown  that  the  person  be  placed  in  the  Adult  Alternativ  e 
Measures  Program' 

•  pursue  a  criminal  prosecution 


Recovering 
overpayment 


The  Department  recovers  overpayments  at  a  maximum  rate  of  $20  per  month  if 
the  recipient  is  also  receiving  Income  Support.  If  the  recipient  is  not  on  Income 
Support,  the  Department  enters  into  a  repayment  agreement.  There  is  no  "cap" 
on  how  much  in  overpayments  can  be  assessed  or  allowed  to  accumulate 
against  each  HEP  recipient. 


Criteria:  the  standards  we  used  for  our  audit 

Decisions  to  pursue  fraud  charges  should  conform  to  established  guidelines  and 
be  based  on  the  results  of  investigation. 


Each  region  has 
own  investigate  e 
processes 


No  guidelines  for 
breadth  of 
investigations 


Our  audit  findings 

Each  region  has  developed  its  own  processes  to  track  and  assess  incoming 
complaints  and  assign  investigations.  Each  investigation  unit  conducts  an  initial 
review  of  the  infonnation  they  receive  to  assess  the  validity  of  the  complaint.  If 
an  investigation  is  to  be  undertaken,  management  assigns  an  investigator,  who 
opens  a  file.  Investigators  submit  a  report  of  the  investigation  results  for  their 
supervisor's  review  and  approval.  The  report  is  included  in  the  recipient's  file 
to  help  caseworkers  assess  whether  to  issue  a  future  payment. 


Evidence  of  overpayment  can  usually  be  found  early  in  the  investigation. 
Investigators  require  much  more  time  and  effort  to  conduct  a  full  investigation 
suitable  for  taking  a  case  to  court.  The  Department  does  not  have  guidelines  for 
determining  when  to  undertake  a  fraud  investigation.  For  example,  the 
Department  may  consider  guidelines  such  as: 

•  a  minimum  value  of  suspected  fraud  before  initiating  an  in\  estigation 

•  what  to  do  if  the  suspect  has  left  the  jurisdiction 

•  how  to  weigh  the  impact  of  a  suspect's  personal  circumstances  or  previous 
criminal  behaviour 

•  direction  for  when  and  how  investigators  should  consult  with  the  Crow  n 
prosecutor 

•  circumstances  under  w  hich  to  recommend  the  Adult  Alternative  Measures 
Program 


'  The  Adult  Alternative  Measures  Program  is  offered  to  first-  and  second-time  adult  offenders  charged  with  certain  minor 
offences.  Instead  of  having  to  go  to  court,  if  the  offender  accepts  responsibility  for  what  they  have  done  and  agrees  to 
participate  in  alternate  measures.  They  enter  into  an  agreement  that  stipulates  what  they  must  do  to  satisfy  program 
requirements.  Successful  completion  of  the  program  ensures  the  person  does  not  end  up  with  a  criminal  record.  Refer  to 
http.7/www.justice.gov.ab.ca/criminal_pros/default.aspx?id=5648  for  a  detailed  description  of  this  Program. 
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Three  common 
themes  to 
investigations 

Assessing 
overpayments 
could  be  done 
more  effectively 


Suspect's  personal 

circumstances 

considered 


Criminal  charges 
laid  in  two  of  38 
investigations 

Adult  Alternative 
Measures 
Program  not 
considered 


We  examined  38  investigation  files  related  to  the  HEP  Fund  and  found: 

•  Common  themes  investigated  included  individuals  who  collected  benefits 
but  were  not  living  at  the  claimed  residence,  HEP  benefits  not  spent  on  rent 
and  fraudulent  documents  provided  to  claim  benefits. 

•  Investigators  were  conducting  full  investigations  without  clear  guidance  on 
whether  the  Department  would  pursue  fraud  charges  if  they  found  enough 
evidence.  As  a  result,  we  saw  evidence  that  investigators  spent 
considerable  time  and  effort  on  full  investigations  to  assess  an 
overpayment,  which  may  have  been  done  much  earlier  in  the  process. 

•  A  full  investigation  takes  an  average  of  2.8  months4  and  includes  recording 
third-party  statements  and  obtaining  corroborating  evidence.  After  a  full 
investigation,  management  decides  whether  to  pursue  fraud  charges, 
considering  a  suspect's  personal  circumstances  and  the  future  impact  of  a 
potential  fraud  charge.  Such  information  is  often  available  early  in  the 


investigation. 


In  all  38  files  we  examined,  investigators  completed  a  full  investigation.  In 
3 1  files,  they  assessed  an  overpayment.  Criminal  charges  were  laid  in  two 
cases. 

We  found  no  evidence  that  the  investigation  units  considered  requests  to 
the  Crown  under  the  Adult  Alternative  Measures  Program  as  a  possible 
conclusion  to  a  case. 


Limited 
fraud-specific 
training  available 


Training 

Fraud  investigations  can  be  complicated;  they  require  specialized  training. 
Investigators  at  the  two  regional  offices  we  visited  have  taken  the  program  to 
become  peace  officers.  The  Department  also  has  a  general  training  plan  for 
them.  However,  the  Department  has  not  determined  which  fraud- specific 
courses  should  be  available  or  mandatory.  Examples  of  specific  fraud  training 
include  investigative  techniques,  interpretation  of  banking  records,  and  criminal 
and  case  law  in  relation  to  fraud. 


Implications  and  risks  if  recommendation  not  implemented 

Without  clear  direction  as  to  the  role  and  priorities  of  investigation  units,  the 
Department  may  not  be  making  effective  use  of  these  units.  Inconsistent 
practices  among  investigation  units  will  also  increase  the  risk  of  regional 
differences  in  how  cases  are  investigated  and  concluded. 


4  This  average  is  based  on  the  investigation  times  of  the  sample  of  38  investigation  files  we  examined  at  the  two  fraud 
investigation  units. 
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1 .1 .2  Internal  audits  and  home  visits 
Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration 
improve  its  processes  by  developing: 

•  timelines  and  strategies  to  respond  to  findings  arising  from  internal 
audits 

•  a  risk-based  approach  to  augment  the  random  sample  selection 
method  currently  used  for  internal  audits  and  home  v  isits 

Background 

Internal  audit's  The  roic  Df  internal  audit  is  to  examine  internal  controls  and  test  compliance 

Iole  with  the  Department's  policies  and  procedures.  If  staff  suspects  fraud,  they 

transfer  the  case  to  the  investigation  unit.  The  investigation  unit  also  conducts 
random  home  visits  to  confirm  the  residency  of  the  recipient. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  use  a  risk-based  approach  to  conduct  internal  audits. 

The  Department  should  have  a  plan  to  implement  internal  audit's 
recommendations,  which  should  include  a  timeline  for  action.  Effectiveness  of 
the  action  plan  should  be  evidenced  by  a  reduction  in  errors  based  on 
reoccurring  internal  audit  results. 


Some  progress  on 
2007  internal 
audit 

recommendations 


Our  audit  findings 

In  September  2007,  the  Department's  internal  audit  team  conducted  an  internal 
audit  of  the  HEP  Fund  in  response  to  alleged  fraud  by  some  recipients.  One  of 
internal  audit's  findings  was  that  documentation  to  support  the  payments  made 
was  not  complete.  Management  took  some  steps  to  implement  internal  audit  s 
recommendations.  For  example,  management  further  refined  its  directives  and 
procedures  for  the  HEP  Fund  and  asked  the  investigation  unit  to  conduct 
random  home  visits  in  Calgary  and  Edmonton. 


2009  internal 
audit  found 
similar  issues 


In  January  2009,  the  team  completed  a  second  internal  audit,  testing  10 
HEP  Fund  files  from  each  of  the  six  regions.  Internal  audit  again  found  that 
HEP  Fund  recipient  files  did  not  contain  adequate  documentation.  In  five  of  the 
six  regions,  at  least  one  and  up  to  three  of  the  10  regional  files  tested  by  internal 
audit  did  not  contain  adequate  support  documentation.  The  regional  directors 
agreed  with  the  findings,  but  did  not  provide  a  specific  timeline  or  plan  for 
improving  the  results. 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


1 


Financial  Statement  and  Other  Assurance  Audits 


Employment  and  Immigration 


Some  investigation  units  also  conduct  random  home  visits.  The  purpose  of 
these  visits  is  to  verity  occupancy  and  landlord  information  contained  in 
selected  HEP  Fund  client  files.  In  Edmonton,  two  staff  members  from  the 
investigation  unit  conduct  50  visits  a  month. 

The  Department  uses  random  sampling  to  select  samples  for  its  internal  audits 
and  home  visits.  The  Department  does  not  consider  risk  or  unusual  transactions 
in  its  sample  selection.  A  more  effective  approach  would  be  to  also  select 
samples  based  on  identified  risks  or  anomalies,  such  as: 

•  rental  location  does  not  agree  to  the  mailing  address 

•  required  data,  such  as  SIN  or  date  of  birth,  is  missing 

•  multiple  recipients  have  the  same  address 

•  high  dollar  or  long-term  payments 

Implications  and  risks  if  recommendation  not  implemented 

Home  visits  and  internal  audits  may  not  be  as  effective  or  efficient  if  the 
Department  does  not  identify  areas  of  risk  and  does  not  develop  strategies  to 
reduce  instances  of  non-compliance. 

1.2  Capital  asset  policy — implemented 

In  our  2006-2007  Annual  Report  (vol.  2— page  58),  we  recommended  that  the 
Department  improve  its  capital  asset  policy  and  procedures. 

The  Department  implemented  the  recommendation  by: 

•  developing  an  updated  capital  asset  policy  that  provides  adequate  guidance 
to  staff  for  the  capitalization  of  assets,  systems  development  costs  and 
upgrades 

•  appropriately  applying  its  new  policy 

1.3  Debit  cards — changed  circumstances 

In  our  2006-2007  Annual  Report  (vol.  2— page  57),  we  recommended  that  the 
Department  improve  controls  to  prevent  duplicate  Income  Support  payments  to 
the  same  recipient — by  both  cheque  and  debit  card. 

Effective  April  1,  2009,  the  debit  card  pilot  project  for  issuing  benefits  was 
stopped.  The  vendor  was  not  able  to  fulfill  the  requirements  of  the  request  for 
proposal  due  to  system  security  concerns  of  its  partner.  Province-wide 
implementation  will  be  revisited  sometime  in  the  future. 


Random  home 
visits  to  verity 
information 


Need  to  choose 

samples 

effectively 
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2.    Workers'  Compensation  Board  (WCB) 
2.1  Claims  audit 

Recommendation 

We  recommend  that  WCB  assess  whether  il  is  conducting  sufficient  claims 
audits  each  year. 


WCB  audits 
employer  claims 


Audits  target  high 
risk  employers 


Background 

WCB's  Claims  Audit  group  conducts  audits  to  ensure  that  Alberta  employers 
comply  with  WCB  legislation  and  have  an  effective  claims  management 
program.  Their  audit  procedures  include  a  review  of  documents  and  interviews 
with  front  line  employees. 

The  main  objective  of  a  claims  audit  is  to  educate  employers  and  to  help  them 
establish  effective  programs  for  recording  and  reporting  accidents,  meeting 
worker  entitlement  responsibilities  and  managing  return  to  work  processes. 

In  2008,  60  large  employers,  representing  approximately  12%  of  all  claims, 
were  audited.  The  selection  was  based  on  risk  and  included  employers 
registered  in  the  Partners  in  Injury  Reduction  Program,  employers  who  do  not 
report  accidents  within  three  days,  employers  with  high  claims  costs  and  high 
duration  days,  employers  with  a  low  modified  work  percentage  or  employers 
who  are  referred  to  Claims  Audit  by  other  WCB  groups. 


C  ould  more 
employers  benefit 
from  a  claims 
audit 


Criteria:  the  standards  we  used  for  our  audit 

WCB  should  periodically  assess  the  adequacy  of  its  audit  programs. 

Our  audit  findings 

WCB's  claims  audit  process  works  well.  However,  their  test  results  indicate 
that  reporting  by  employers  considered  high  risk  is  not  accurate,  complete  or 
timely.  For  these  employers,  a  process  is  in  place  to  improve  reporting. 

WCB  completed  120  claims  audits  on  high-risk  employers  for  January  1,  2007 
to  October  3 1 ,  2008.  The  test  results  indicated  that  66%  passed  the  accident 
recording  tests,  10%  passed  the  accident  reporting  tests,  62%  passed  the  worker 
entitlement  tests  and  8%  passed  the  overall  audit.  The  low  overall  employer 
pass  rate  of  8%  indicated  WCB's  success  in  targeting  employers  who  need 
education  and  a  possible  need  to  target  more  Alberta  employers. 


Implications  and  risks  if  recommendation  not  implemented 

Additional  employers  who  could  benefit  from  a  claims  audit  w  ill  not  be 
identified. 
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2.2  Access  and  security  monitoring 
Recommendation 

We  recommend  that  WCB  formalize  its  security  monitoring  procedures  to 
ensure  that  security  threats  to  critical  information  systems  are  detected  in 
a  timely  manner. 

Background 

The  protection  of  information  assets  is  typically  controlled  through  limits  to 
user  access.  Monitoring  and  logging  access  to  critical  systems  and  information 
helps  ensure  that  access  controls  are  working. 

Most  information  security  devices  and  business  applications  today  have  security 
features  that  can  log  and  report  all  levels  of  events  and  activities.  Information 
relating  to  user  access,  such  as  user  identifier,  time  and  type  of  access, 
identification  of  terminal  used,  and  the  application  used  to  gain  access,  can  be 
logged  for  the  detection  of  security  threats.  Continuous  monitoring  of  such  logs 
allows  management  to  promptly  take  corrective  actions  to  resolve  inappropriate 
access  or  security  violations.  Log  management  tools  can  also  be  used  to 
automate  the  notification  and  reporting  process. 

Criteria:  the  standards  we  used  for  our  audit 

WCB  should  have  documented  effective  control  processes  to  monitor  and  log 
information  security  and  access  violations,  and  to  ensure  that  its  network 
operating  systems,  applications  and  other  security  devices  are  configured  to 
prevent  unauthorized  access.  Such  processes  should  also  address  how 
management  should  report  and  remediate  security  violations. 

Our  audit  findings 

WCB  does  not  have  documented  processes  to  monitor  and  respond  to  security 
violations.  Management  reviews  security  logs  and  escalations  on  an  ad  hoc 
basis  only,  without  a  predefined  control  process  to  assess  the  level  of  risk  or 
impact  of  the  threat. 

Implications  and  risks  if  recommendation  not  implemented 

Failure  to  actively  monitor  security  and  access  violations  can  allow  an  intruder 
to  probe  for  possible  weaknesses  or  entry  points  to  WCB's  critical  financial 
information  systems.  Unauthorized  internal  users  may  gain  access  to  WCB's 
financial  applications  and  modify  or  delete  data,  resulting  in  misstated  financial 
statements. 


IT  security  threats 
need  monitoring 


Access  violations 
not  actively 
monitored 
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2.3  Enforce  procedures  and  guidelines  for  purchasing  card  program — 
implemented 
Background 

Last  year  (October  2008  Report,  page  253).  we  recommended  that  WCB 
enforce  its  procedures  and  guidelines  for  the  purchasing  card  program  by 
ensuring  that  all  purchasing  card  reports  are  appropriately  approved  and  have 
supporting  documentation. 

Our  audit  findings 

Improved  WCB  implemented  the  recommendation  by  improving  its  processes  to  monitor 

processes  follow  up  on  instances  of  non-compliance  with  purchasing  card  program 

procedures  and  guidelines. 

WCB's  Corporate  Services  group  has  increased  the  number  of  purchasing  card 
statements  it  tests  each  month.  It  now  reports  the  results  of  the  testing  to  the 
cardholder,  coordinator  and  superv  isor,  together  with  the  action  the  cardholder 
must  take  to  resolve  the  discrepancy.  When  non-compliance  is  found.  Corporate 
Services  continuously  monitors  the  cardholder  for  an  additional  two  months. 
Management  Audit  Sen  ices  also  performed  quarterly  tests  of  selected 
purchasing  card  transactions.  Both  Corporate  Sen  ices  and  Management  Audit 
Services  prepare  a  quarterly  memo  to  senior  management,  summarizing  the 
audit  findings  from  the  testing  of  purchasing  cards  and  including  any  concerns 
or  required  actions. 


Financial  statements 

Unqualified  Our  auditor's  opinion  on  the  Ministry  financial  statements  for  the  year  ended 

auditor's  opinions     *  .      ,     ,   ~,r\r\n  •  \-r  j 

1  March  31,  2009  is  unqualified. 

We  issued  an  unqualified  audit  opinion  for  the  March  31.  2009  Labour  Market 
Development  Claim. 

We  issued  an  unqualified  audit  opinion  for  the  March  3  1 .  2008  Hmployability 
Assistance  for  People  with  Disabilities  Claim. 

We  issued  an  unqualified  audit  opinion  on  the  financial  statements  of  WCB  for  the 
year  ended  December  31,  2008.  We  also  issued  an  unqualified  audit  opinion  on  the 
schedule  of  administrative  charges  of  WCB  for  the  year  ended  December  31,  2008. 
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Performance  measures 

rev?ewlfied  ThC  Ministr^  enSaged  us  to  review  selected  performance  measures  in  the  Ministry's 

engagement  report    2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on 
WCB's  performance  measures  in  its  accountability  framework. 
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Summary 

The  Department  of  Energy  should: 

•  improve  its  monitoring  of  the  implementation  of  the  bitumen  valuation 
methodology — see  below 

•  improve  processes  to  prepare  its  financial  statements — see  page  197 

•  improve  controls  over  the  revenue  forecast  system    see  page  lcW 

•  monitor  the  impact  of  the  change  in  the  provincial  corporate  effective  royalty 
rate  on  the  Department's  accounts  receivable  and  incentive  programs 

see  page  200 

Due  to  changed  circumstances,  our  2003-2004  recommendation  relating  to  the 
administration  of  the  oil  sands  Royalty  Regime  is  no  longer  valid    sec  page  201 

On  page  204,  we  also  describe  an  emerging  financial  reporting  issue  relating  to  the 
incentive  programs  announced  by  the  Ministry  in  March  2009 

The  Energy  Resources  Conservation  Board  (ERCB)  should  assess  the  adequacy  of 
its  SAP  business  application  access  and  security  controls  and  configurations  to 
ensure  ERCB's  information  is  properly  protected — see  page  202 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1.    Department  of  Energy 

1.1  Bitumen  valuation  methodology  implementation 
Recommendation  No.  20 

We  recommend  that  the  Department  of  Energy  improve  its  monitoring  of 
the  implementation  of  the  bitumen  valuation  methodology. 

Background 

Bitumen  requires  Some  oil  sands  projects  produce  heavy  oil,  but  effective  January  1,  2009,  the 

majority  of  oil  sands  royalties  are  determined  based  on  the  value  of  bitumen. 
Bitumen  is  not  widely  traded  like  crude  oil,  and  some  producers  use  almost  all 
of  the  bitumen  they  produce  to  make  synthetic  crude  oil  and  other  upgraded 
products  within  their  operations.  This  combination  makes  it  necessary  to 
establish  a  method  for  determining  the  fair  market  value  of  bitumen  to 
determine  royalties. 
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Royalty  amending 
agreements 
include  process  to 
value  bitumen 


Bitumen  price 
determined  by  one 
operator  less  than 
half  that  used  by 
all  others 


Outcome  of 
bitumen  valuation 
issue  could  have 
significant  impact 
on  rovalties 


Suncor  and  Syncrude  oil  sands  mine  projects  are  assessed  royalties  under 
Crown  agreements  that  were  made  before  the  creation  of  the  oil  sands  royalty 
regulation  that  applies  to  other  oil  sands  projects.  In  2008,  the  Ministry  agreed 
to  amend  the  Crown  agreements  with  both  Suncor  and  Syncrude  through  the 
Royalty  Amending  Agreements  (RAAs).  Each  of  these  RAAs  contemplated  the 
implementation  of  a  bitumen  valuation  methodology  and  each  contained  a  list 
of  clauses  modifying  the  application  of  the  to-be-established  bitumen  valuation 
methodology  to  the  respective  Crown-agreement  projects.  In  January  2009,  the 
Bitumen  Valuation  Methodology  (Ministerial)  Regulation  was  implemented 
which  applies  to  all  oil  sands  projects  that  have  significant  quantities  of  non- 
arms  length  transfers  of  bitumen  to  upgrading  operations. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  a  process  to  monitor  the  implementation  of  the 
bitumen  valuation  methodology. 

Our  audit  findings 

In  late  March  2009,  while  reviewing  reports  received  by  the  Department  from 
the  oil  sands  operators  for  the  2009  calendar  year,  we  noted  that  the  bitumen 
price  used  by  one  of  the  Crown-agreement  operators  was  less  than  half  that 
used  by  all  other  operators.  Using  a  lower  price  decreases  net  operating  results 
and  royalties  calculated  on  that  base.  Although  the  oil  sands  branch's  staff  had 
also  noted  this  variance,  they  were  unable  to  reconcile  their  expectation  of  the 
bitumen  price  for  that  project  to  the  operator's  price.  Upon  further  inquiry,  we 
were  informed  by  the  Department  that  the  operators  had  notified  them  by  letter 
in  February  2009,  that  their  calculation  was  based  on  the  terms  of  the  RAA, 
including  the  qualifications  contained  in  that  agreement.  However,  the 
Department  is  of  the  view  that  the  BVM  is  as  set  out  in  the  Bitumen  Valuation 
Methodology  (Ministerial)  Regulation,  which  is  fully  consistent  with  the 
qualifications  set  out  in  the  RAA. 

Management  sent  formal  requests  to  the  two  oil  sands  operators  in 
mid-April  2009,  asking  them  to  amend  the  bitumen  values  used  in  the  good 
faith  estimates.  The  oil  sands  operators  have  amended  their  good  faith  estimates 
as  requested,  pending  resolution  of  the  matter.  The  RAAs  include  a  dispute 
resolution  process.  Although  this  issue  did  not  have  a  significant  impact  on 
royalties  accrued  to  March  31,  2009,  the  outcome  could  have  a  significant 
impact,  estimated  to  be  $100  million,  on  the  amount  of  royalties  assessable  for 
the  2009  calendar  year.  This  issue  had  not  yet  been  resolved  at  the  time  we 
completed  our  audit. 
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Implications  and  risks  if  recommendation  not  implemented 

Differences  in  interpretation  between  the  Department  and  oil  sands  operators  of 
the  bitumen  valuation  methodology  may  not  be  identified  and  resoKed  in  a 
timely  manner. 

If  the  Department  is  unsuccessful  in  upholding  their  interpretation  of  the 
bitumen  valuation  methodology  applicable  to  Crown  agreements,  this  could 
result  in  significantly  less  royalty  to  the  Crown  lor  the  duration  of  the  RAAs. 

1.2  Improving  processes  to  prepare  financial  information 
Recommendation 

We  recommend  that  the  Department  of  Energy  improve: 

•  internal  communication  processes  between  the  Finance  branch  and 
program  staff 

•  quality  control  processes  for  the  preparation  of  working  papers  and 
financial  statements 

•  the  timely  completion  of  accurate  financial  information 

Background 

For  the  year  ended  March  3 1 ,  2009.  the  Ministry  of  Energy  is  reporting 
approximately  $12  billion  in  revenue  primarily,  from  non-renewable  resources. 
Systems  are  in  place  to  both  compile  and  internally  report  on  forecasted  and 
actual  revenues  so  that  management  can  make  timely  decisions.  Also,  the 
Ministry  reports  its  revenues  publicly  in  its  financial  statements.  These  amounts 
are  also  consolidated  into  the  Government  of  Alberta's  financial  statements. 
The  Department  of  Treasury  Board  has  implemented  internal  reporting 
deadlines  that  apply  to  all  Departments  so  that  the  government's  financial 
statements  can  be  prepared,  audited  and  reported  on  w  ithin  the  legislated 
deadline  of  June  30. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  processes  to  ensure  complete,  accurate  and  timely 
financial  information  is  available. 

Controls  over  financial  reporting  processes  should  exist  to  reduce  the  risk  of 
material  misstatements  in  the  Department's  accounting  records. 

Our  audit  findings 

Sharing  of  information  betw  een  program  areas  and  the  finance  branch 

When  issues  arise,  such  as  changes  in  systems  or  differing  interpretation  of 
legislation,  they  usually  have  implications  for  aspects  of  the  Ministry's  budget 
forecasts  and  financial  reports.  Improved  processes  are  needed  to  ensure  that 
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issues  are  communicated  to  the  Department  of  Energy's  Finance  Branch  in  a 
timely  manner. 


Accounting 
implications  of 
royalty  issues  are 
not  always 
considered  in  a 
timely  manner 


Examples  from  the  current  and  recent  financial  statement  audits  include: 

•  The  change  in  the  royalty  regime  required  a  one-time  royalty  adjustment 
calculation  pertaining  to  December  31,  2008,  ending  oil  sands  inventory 
balances.  The  effect  of  this  adjustment  needed  to  be  incorporated  into  the 
Ministry's  oil  sands  accrual,  but  the  Oil  Sands  Branch  did  not  realize  this 
so  the  information  was  not  communicated  to  the  Finance  branch  in  a  timely 
manner. 

•  Certain  oil  sands  companies  have  interpreted  the  bitumen  valuation 
methodology  differently  than  the  Department.  This  too  impacted  the 
current  year  accrual  and  has  the  potential  to  have  significant  impacts  on 
future  revenue  forecasts,  but  it  was  not  communicated  to  the  Finance 
branch  by  the  program  area  as  an  item  to  be  considered  in  preparing  the 
Ministry  financial  statements.  (We  discuss  this  issue  further  in  section  1.1) 

•  The  fuel  gas  issue,  previously  reported  in  our  October  2008  Report,  was 
not  reported  by  the  program  area  to  the  Finance  Branch  to  assess  whether 
the  natural  gas  accrual  required  an  adjustment.  The  Finance  Branch  became 
aware  of  the  matter  after  we  noted  it. 

•  A  working  paper  prepared  by  a  program  area  and  submitted  to  the  Finance 
Branch  to  support  key  accruals  contained  a  material  error  of  $75  million. 


Significant  errors 
found 


Quality  control  processes  over  working  papers  and  financial  statements 

A  key  process  in  preparing  the  Ministry  financial  statements,  is  making  several 
routine  and  non-routine  journal  entries  to  record  revenue  completely  and 
accurately.  In  each  of  the  last  three  years,  there  has  been  at  least  one  material 
adjusting  entry  omitted  or  duplicated  during  the  preparation  of  the  financial 
statements.  Although  these  errors  are  few  in  occurrence,  they  are  individually 
material  ranging  from  $60  million  to  $237  million. 


Reporting 
deadlines  not  met 


The  Department  has  not  been  able  to  provide  complete  draft  financial 
statements  and  supporting  working  papers  of  sufficient  quality  within  the 
year-end  deadlines  established  by  the  Department  of  Treasury  Board  for  at  least 
the  last  three  years.  Although  the  financial  statements  and  working  papers  are 
eventually  completed,  combined  with  the  issues  noted  above,  this  compounds 
the  risk  of  errors  not  being  detected  by  management  in  a  timely  manner. 


Implications  and  risks  if  recommendation  not  implemented 

Management  may  not  identify  material  errors  or  omissions  in  their  financial 
statements. 
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1.3  Sustaining  the  continued  accuracy  of  the  revenue  forecast  system 
Recommendation  No.  21 

We  recommend  that  the  Department  of  Energy  improve  the  controls  and 
documentation  supporting  the  revenue  forecast  model  to  help  ensure  the 
continued  accuracy  of  the  forecast  system. 


Forecast  model 
used  for  budget 
and  financial 
statements 


Background 

The  Department  has  developed  a  complex  forecasting  system  for  royalties, 
freehold  mineral  tax,  rental  revenues  and  land  sales  that  is  used  for  budgeting 
purposes.  The  natural  gas  and  oil  sands  forecasts  are  also  used  to  calculate  the 
most  significant  accruals  for  the  financial  statements.  The  forecast  model  and 
supporting  data  are  updated  and  maintained  by  a  few  key  people  in  the 
Department's  Finance  Branch.  The  data  is  gathered  and  uploaded  into  Excel 
spreadsheets  where  the  key  forecast  calculations  occur. 


Criteria:  the  standards  we  used  for  our  audit 

The  extent  of  documentation  and  control  over  end-user  applications,  such  as 
Excel,  should  be  commensurate  with  the  complexity  and  impact  on  the 
financial  statements. 

Our  audit  findings 

We  reviewed  a  December  2008  document  titled  Revenue  Forecast  Model 
Documentation  that  outlines  the  process,  methodology  and  forecasting 
techniques  used  in  modeling  the  various  revenue  streams.  We  also  examined 
the  controls  and  processes  around  the  dev  elopment  and  maintenance  of  the 
forecast  models,  and  assessed  the  documentation  that  outlines  the  forecasting 
methodology. 


Documentation 
requires  more 
depth 


Although  the  current  systems  documentation  prepared  by  the  Department 
provides  a  starting  point  to  understanding  the  forecast  model,  it  would  not 
provide  sufficient  information  for  a  new  employee  to  process  and  maintain  the 
model  if  it  became  necessary. 


Key  processes 
need  to  be 
improved 


Our  examination  of  the  documentation  and  controls  for  the  forecast  found: 

•  a  documented  process  for  making  changes  to  the  forecast  models  does  not 
exist 

•  a  defined  process  for  tracking  changes  made  and  regularly  updating  the 
methodology  documentation  for  those  changes  does  not  exist 

•  strong  controls  to  prevent  the  input  of  inaccurate  data  does  not  exist 

•  clear  and  specific  documented  support  does  not  exist  for  a  number  of  the 
assumptions  made  within  the  models,  such  as  number  of  years  to  use  for 
historical  averages  and  application  of  seasonal  trends 
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•     much  of  the  logic  and  reasoning  around  many  assumptions  reside  with  the 
individuals  who  prepare  the  models  and  is  not  documented 

Based  upon  our  examination  of  the  accuracy  of  the  forecast  models  used  for  the 
year  end  accruals,  we  did  not  identify  any  mathematical  errors.  However,  with 
increased  price  sensitivity  of  royalties  under  the  "new"  royalty  regime,  and 
changing  assumptions,  there  is  an  increased  risk  of  misstatement  going  forward 
if  assumptions  and  methodologies  are  not  clearly  documented  and  well 
supported. 

Because  of  the  small  number  of  individuals  that  work  within  the  forecasting 
group,  without  clear  and  comprehensive  documentation  of  the  models,  any 
changes  to  staff  continuity  could  result  in  knowledge  and  understanding  of  the 
models  being  lost.  This  could  potentially  have  an  impact  on  the  accuracy  of 
future  budgets  and  accruals  within  the  financial  statements. 

Implications  and  risks  if  recommendation  not  implemented 

Future  employees  may  not  be  able  to  obtain  sufficient  knowledge  to  effectively 
process  the  forecast  calculations  or  maintain  the  model  if  adequate 
documentation  is  not  prepared  by  the  current  staff. 

1 .4  Corporate  effective  royalty  rate 
Recommendation  No.  22 

We  recommend  that  the  Department  of  Energy  monitor  the  impact  of  the 
change  in  the  provincial  average  corporate  effective  royalty  rate  on  the 
Department's  accounts  receivable  and  incentive  programs. 

Background 

Natural  gas  producers  claim  an  allowance  for  capital,  operating  and  custom 
processing  costs.  These  monthly  cost  claims  represent  the  Crown's  share  of  the 
cost  of  producing  and  processing  natural  gas  and  reduce  the  net  royalty  payable 
by  producers.  Each  June,  natural  gas  producing  companies  are  required  to 
submit  their  actual  costs  from  the  preceding  calendar  year.  Thus,  in  order  for  a 
company  to  include  the  cost  allowances  for  a  production  month  in  the  current 
year,  an  estimate  is  used.  The  estimate  is  based  on  the  previous  year's  cost  and 
the  corporate  effective  royalty  rate  (CERR).  Any  differences  from  the  cost 
estimates  and  the  actual  cost  data  submitted  for  a  calendar  year,  is  reflected  as 
an  "annual  cost  adjustment"  in  a  company's  royalty  invoice  from  the 
Department  the  following  June. 

Criteria:  the  standards  we  used  for  our  audit 

The  risks  and  impact  of  changing  forecasts  and  conditions  should  be  assessed 
and  mitigated  if  necessary. 
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Our  audit  findings 

We  found  that  the  Department  made  a  significant  adjustment  to  the  gas  accrual 
covering  January  to  March  2009  related  to  the  cost  allowance.  Based  upon 
forecasted  natural  gas  prices,  the  Department  determined  that  the  estimated 
provincial  average  CERR  could  be  approximately  10%  for  the  2009  calendar 
year.  During  the  preceding  10  years,  the  provincial  average  CERR  had  been 
relatively  stable  approximating  20%.  The  difference  between  those  two  rates  is 
a  result  of  the  new*  royalty  regime  being  more  price-sensitiv  e  to  lower  natural 
gas  prices  than  the  old  regime.  The  provincial  average  CERR  is  the  average  rate 
of  royalties  the  Department  realizes  on  natural  gas  royalties. 

Cost  allowance  estimates  for  2009  are  based  on  the  higher  2008  CERR.  The 
potential  effect  of  basing  the  estimated  cost  allowance  on  the  higher  CERR  ma\ 
result  in  producers  claiming  allowable  costs  of  approximately  SI .  1  billion  in 
2009,  which  may  have  to  be  paid  back  to  the  Department  in  June  of  2010. 
Although  there  is  always  a  settlement  through  the  annual  adjustment  in  the 
following  June  related  to  the  gas  cost  allowances,  the  2010  settlement  is 
forecasted  to  be  atypical  in  magnitude  and  direction  of  payment.  An  estimate  of 
this  settlement  has  already  been  included  in  the  Department's  accruals  and 
forecasts,  and  therefore  should  not  further  impact  the  forecasted  provincial 
deficit. 

Implications  and  risks  if  recommendation  not  implemented 

The  cash  flow  impact  on  producers  of  the  June  2010  cost  allowance  adjustment 
could  have  unexpected  impacts  on  the  Department's  accounts  receivable  and 
royalty  incentive  programs. 

1.5  Administration  of  the  oil  sands  royalty  regime — changed  circumstances 
Background 

In  our  2003-2004  Annual  Report  (No.  10 — page  125)  we  recommended  that  the 
Department  of  Energy: 

•  set  expected  ranges  for  analyzing  the  costs  and  forecasted  resource  prices 
submitted  on  oil  sands  project  applications 

•  incorporate  risk  into  its  present  value  test  used  to  assess  project 
applications 

In  our  2004  2005  Annual  Report,  w  e  reported  that  the  Department  had 
implemented  the  first  part  of  the  recommendation  by  using  a  range  of  costs, 
prices,  and  production  v  olumes  when  assessing  oil  sands  royalty  projects  during 
the  approval  process. 

Also,  by  our  2004-2005  Annual  Report,  the  Department  had  formed  a  task 
force  that  prepared  a  discussion  paper  dealing  with  the  second  part  of  our 
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recommendation  to  use  a  risk-adjusted  discount  rate  in  the  present  value  test. 
When  we  followed  up  again  and  reported  in  our  2005-2006  Annual  Report,  the 
Department  had  decided  to  use  a  weighted  scoring  system,  instead  of  a 
risk-adjusted  discount  rate. 

Our  audit  findings 

The  Department  decided  not  to  proceed  with  the  weighted  scoring  system  for 
assessing  project  applications  because  of  the  subjectivity  in  determining  the 
numerical  values  for  the  weighted  scoring  system.  We  agree  and  are  not 
carrying  forward  our  recommendation. 

2.    Energy  Resources  Conservation  Board 
2.1  Assessing  and  improving  SAP  security  controls 
Recommendation 

We  recommend  the  Energy  Resources  Conservation  Board  assess  the 
adequacy  of  its  SAP  business  application  access  and  security  controls  and 
configurations  to  ensure  its  information  is  properly  protected. 

Background 

ERCB  uses  SAP — an  integrated  enterprise  resource  planning  software 
application — to  process  and  record  financial  and  business  information.  As  part 
of  our  financial  statement  audit,  we  reviewed  SAP's  access  and  security 
controls  and  configurations.  We  based  our  work  on  SAP  information  extracts 
obtained  on  February  16,  2009. 

Criteria:  the  standards  we  used  for  our  audit 

ERCB  should  have  adequate  access  and  security  controls  and  configurations 
within  its  SAP  system  to  ensure  that  ERCB: 

•  does  not  allow  any  single  user  to  have  excessive  access  (excessive  access  is 
anything  that  would  allow  a  user  to  bypass  critical  management  controls) 

•  does  not  use  the  system's  default  security  settings  and  configurations 

•  reviews  user  accounts  regularly  to  confirm  the  user's  business  need  and 
monitor  the  user's  actions 

Our  audit  findings 

We  observed  that  two  people  had  excessive  access  that  would  allow  them  to 
bypass  critical  management  controls.  Their  access  would  also  allow  them  to 
hide  their  actions  by  modifying  or  deleting  audit  trail  evidence  maintained  in 
the  SAP  system.  We  did  not  identify  any  well-designed  compensating  controls 
or  mitigating  circumstances  for  this  risk. 
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The  excessive  access  privileges  of  these  two  users  included  the  ability  to: 

•  make  changes  directly  to  or  delete  data  and  tables  in  the  SAP  production 
system 

•  create  or  delete  users,  give  users  the  ability  to  do  anything  within  SAP,  and 
delete  users  and  their  recent  activity 

Our  information  extracts  also  identified  weak  security  configurations.  For 
example: 

•  SAP  administrative  accounts  still  had  their  default  passwords  enabled 

•  three  default  generic  user  accounts  with  powerful  user  access  were  still 
enabled 

•  these  accounts  were  not  locked  and  their  passwords  were  not  properl) 
secured 

In  addition,  the  system  does  not  log  sensitive  user  actions;  nor  does  ERCB 
monitor  users'  sensitive  actions  or  regularly  review  user  accounts  for  their 
business  need.  The  ERCB  did  not  enable  the  auditing  and  logging  function 
within  SAP.  Therefore,  actions  taken  by  powerful  account  users  cannot  be 
independently  reviewed  to  ensure  they  do  not  abuse  the  privileges  they  ha\  e. 

Implications  and  risks  if  recommendation  not  implemented 

Without  proper  access  and  security  controls  and  configurations,  unauthorized 
changes  to,  or  deletion  and  use  of  ERCB's  business  data  may  occur. 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  financial  statements  for  the  Ministry  and  the 

auditor's  opinions    Departrnent  for  lhc  year  ended  March  3 1 .  2009  are  unqualified. 

Our  auditor's  opinion  on  the  financial  statements  for  the  Alberta  Petroleum 
Marketing  Commission  for  the  year  ended  December  3 1 .  2008  is  unqualified. 

Our  auditor's  opinions  on  the  financial  statements  for  the  Alberta  Utilities 
Commission  and  the  Energy  Resources  Conservation  Board  for  the  year  ended 
March  31,  2009  are  unqualified. 

Performance  measures 

Unqualified  ync  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

2008  2009  Annual  Report.  We  issued  an  unqualified  rev  iew  en^aticment  report  on 
engagement  report  r  1  o  o  r 

these  measures. 
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Emerging  issue— Accounting  for  the  three-point  incentive  program  for  the 

energy  sector 

Background 

On  March  3,  2009,  the  Ministry  of  Energy  announced  a  three-point  incentive 
program  to  stimulate  new  and  continued  economic  activity.  The  three  parts  of  the 
program  include: 

•  a  drilling  royalty  credit  for  new  oil  and  gas  wells  estimated  to  reduce  royalties 
receivable  by  $466  million  for  one  year 

•  a  maximum  5%  royalty  on  the  first  year  of  production  from  new  oil  and  gas 
wells  estimated  to  reduce  royalties  receivable  by  $1  billion  for  one  year 

•  funds  of  $30  million  directed  to  oil  and  gas  well  reclamation 

The  first  two  programs  were  extended  an  additional  year  on  June  25,  2009.  Since 
these  programs  begin  April  1,  2009,  the  effect  of  these  programs  will  be  accounted 
for  the  first  time  in  the  Ministry  of  Energy's  financial  statements  for  the  year  ending 
March  31,  2010. 

In  the  past,  the  Department  has  operated  several  royalty  off-set  programs  such  as  the 
deep  gas  royalty  holiday.  These  programs  were  accounted  for  in  the  Ministry's 
financial  statements  by  netting  them  against  the  gross  royalties  that  would  have 
otherwise  been  calculated  in  absence  of  the  programs.  We  accepted  this  accounting 
treatment  because  those  programs  were  integral  to  the  determination  of  royalties 
from  the  wells  they  were  applied  to.  Described  another  way,  those  programs 
essentially  modified  the  base  royalty  calculation  to  take  into  account  some  other  key 
well  characteristics  such  as  depth  for  applicable  wells. 

We  believe  the  new  programs  should  be  recorded  as  an  expense  in  the  Ministry 
financial  statements  rather  than  netting  them  against  royalty  revenues.  The 
Department  already  plans  to  record  the  third  point  related  to  reclamation  as  an 
expense  because  it  will  take  the  form  of  a  grant  to  the  Orphan  Well  Association. 
However,  the  Department  so  far  has  indicated  through  its  budget  that  it  will  record 
the  first  two  incentives  by  netting  them  against  royalty  revenues. 

Accounting  implications 

Under  existing  Canadian  public  sector  accounting  principles,  transactions  should  be 
presented  in  a  manner  that  reflects  their  actual  underlying  economic  substance  rather 
than  their  legal  form.  Accounting  principles  also  require  that  financial  statements 
disclose  the  gross  amount  of  revenue. 

The  drilling  credit  and  new  well  incentives  take  the  form  of  a  direct  reduction  to 
royalties  receivable  and,  therefore,  will  not  require  the  Ministry  to  issue  cheques  for 
these  amounts  to  producers.  Despite  this  form,  their  economic  substance  is  no 
different  than  an  economic  development  or  disaster  assistance  grant  program  that 


Programs  should 
be  accounted  for 
as  an  expense 
regardless  of  form 
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other  ministries  provide  to  other  industries  where  those  ministries  do  not  ha\e 
industry  soureed  rev  enues  to  net  the  cost  of  the  programs  against.  The  Ministrv  "s 
public  statements  indicate  the  incentives  are  designed  to  stimulate  economic  activ  it\ 
in  the  energy  sector  and  are  not  attached  to  the  royalty  structure.  The  Department 
also  indicated  that  the  incentives  are  a  means  through  the  royalty  regime  to  make  up 
for  a  lack  of  financing  av  ailable  to  producers  due  to  the  credit  crunch.  We  believe 
such  statements  support  our  view  of  the  programs  being  an  economic  dev  elopment 
and  assistance  program  as  opposed  to  an  amendment  to  the  royalty  regime  and 
should  be  accounted  for  the  same  as  all  other  economic  or  assistance  programs  the 
government  operates.  That  is,  to  record  the  program  amounts  as  an  expense. 

Difficult  to  \x/e  considered  whether  the  incentives  will  increase  o\  oral  I  royalties  bv  generating 

determine  it  ere  ^  increased  volume  of  production  throuuh  a  low  er  rovaltv  rate  which  could  be  used 
are  any  r  °  J  J 

incremental  t°  support  an  argument  that  the  incentives  should  be  netted  against  revenue.  Because 

revenues  the  amount  of  incremental  drilling  and  production  generated  due  to  the  incentives  is 

uncertain,  it  is  difficult  to  determine  that  the  incentives  w  ill  result  in  incremental 
revenue.  Furthermore,  because  the  resources  in  this  ease  are  finite  and  prices  for 
natural  gas  are  at  cyclically  low  levels,  any  increased  production  in  the  near  term 
w  ould  more  likely  represent  a  shifting  of  production  from  future  periods  w  hen 
prices  recover,  as  opposed  to  truly  incremental  volumes  that  would  have  never 
otherwise  been  produced. 

While  the  Department  is  planning  to  disclose  gross  rev  enues,  they  are  planning  to 
show  the  cost  of  this  economic  development  and  assistance  program  as  a  negative 
revenue  line  item  as  opposed  to  an  expense,  [f  the  primary  purpose  of  incurring  this 
cost  is  to  stimulate  economic  activity  then  its  cost  would  be  appropriately  classified 
as  an  expense  just  as  any  other  gov  ernment  program  would  be. 

Next  steps 

We  will  continue  discussions  with  management  and  consider  the  impact  of 
recording  the  programs  net  of  revenues  in  our  auditor's  report  for  the  year  ending 
March  31,  2010. 
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Environment 

Summary 

The  Department  should  implement  a  system  for  obtaining  sufficient  financial 
security  for  land  disturbances — see  below 

The  Department  has  implemented: 

•  our  recommendation  to  create  a  system  to  manage  contaminated  site  assessment 
information  in  Alberta — see  page  209 

•  our  recommendation  to  implement  processes  to  comply  with  the  Ministry  of 
Treasury  Board's  deadlines  for  completion  of  the  Climate  Change  and 
Emission  Management  Fund's  financial  statements — see  page  210 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1.    Financial  security  for  land  disturbances — recommendation  repeated 

We  are  repeating  the  recommendation  for  the  third  time  because  the 
Department  could  not  confirm  when  a  new  program  for  obtaining  financial 
security  will  be  finalized  and  implemented. 

Recommendation  No.  23 — repeated 

We  again  recommend  that  the  Department  of  Knvironment  implement  a 
system  for  obtaining  sufficient  financial  security  to  ensure  parties  complete 
the  conservation  and  reclamation  activity  that  the  Department  regulates. 

Background 

Under  the  Environmental  Protection  and  Enhancement  Act  (EPEA)]  the  land 
used  for  such  activities  as  mining  must  be  reclaimed  to  its  original  state  once 
operations  end.  To  ensure  that  the  operator  performs  all  the  necessar\ 
reclamation  activities  the  Act  requires  operators  to  provide  security  based  on  the 
full  cost  of  reclamation.  The  security  is  returned  to  the  operator  if  the  site  is 
reclaimed,  or  forfeited  if  an  operator  fails  to  meet  his  obligations.  In  the  latter 
case,  the  Department  assumes  the  responsibility  for  site  reclamation. 


Need  system  to 
obtain  sufficient 
financial  security 
for  land 
disturbances 
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recommended  in  °Ur  I99H~1999  Ammal  RePort  (N«-  30— page  157),  we  first  identified  that 

1998  1999  me  Pr°cess  for  obtaining  security  was  applied  inconsistently  and  security  may 

be  inadequate. 


In  our  2000-2001  Annual  Report  (No.  8— page  90),  we  recommended  that  the 
Department  deal  with  the  risks  of  inadequate  security.  We  noted  that  there  were 
some  large  land-disturbing  industries  (oil  sands  and  coal  mines)  that  were  not 
providing  security  at  full  cost  of  reclamation  and  there  was  no  model  in  place  to 
determine  what  a  sufficient  amount  of  security  other  than  full  cost  might  be. 
These  industries  were  negotiating  with  the  Department  to  establish  levels  and 
types  of  security  acceptable  to  both  parties. 

In  our  2004-2005  Annual  Report  (No.  3 1—  page  1 80),  we  recommended  that 
the  Department  implement  a  system  for  obtaining  sufficient  financial  security 
to  ensure  parties  complete  the  reclamation  activity  that  the  Department 
regulates.  We  noted  that  there  were  still  many  inconsistencies  in  how  financial 
security  was  posted  for  oil  sands  and  coal  mines.  Some  sites  posted  security 
under  prior  legislation  and  that  security  has  been  continued  under  existing 
legislation.  The  result  is  that  some  sites  had  security  based  on  production  and 
not  on  the  full  cost  of  reclamation,  as  currently  required  by  EPEA.  Some  sites 
used  outdated  information  to  determine  their  estimated  full  cost  of  reclamation. 
Some  estimates  did  not  include  all  required  costs.  As  a  result  of  these 
inconsistencies,  the  sufficiency  of  security  for  the  completion  of  reclamation 
was  not  ensured. 


Criteria:  the  standards  we  used  for  our  audit 

For  us  to  consider  our  recommendation  implemented,  there  must  be  evidence 
that  the  Department's  system  will  result  in  sufficient  security  to  ensure 
completion  of  conservation  and  reclamation  by  considering  the  following: 

•  nature,  complexity  and  extent  of  activity 

•  probable  difficulty  of  conservation  and  reclamation 

•  consistent  application  of  conservation  and  reclamation  standards 

Our  audit  findings 

The  Department  has  not  changed  its  approach  to  assessing  and  obtaining 
financial  security  for  reclamation  from  operations  such  as  oil  sands  and  coal 
mines.  In  2005-2006,  a  government-industry  team  led  by  the  Departments  of 
Environment  and  Energy  prepared  a  proposal  for  a  Mine  Liability  Management 
Program  for  cabinet  review  and  approval.  This  program  used  a  risk-based 
approach  to  calculate  the  security  needed. 
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Still  in 

consultation  static 


In  2007.  the  proposal  for  the  new  program  was  undergoing  revisions  prior  to 
stakeholder  consultation.  The  stakeholder  consultation  process  took  place  in 
2009  with  a  report  expected  in  August  2009.  This  consultation  process  invoked 
participation  and  input  from  Alberta  Environment,  Alberta  Energy,  Alberta 
Treasury  Board,  Alberta  Finance  and  Enterprise,  Energy  Resources 
Conservation  Board,  and  industry  representatives.  Consultation  outcomes  will 
not  constitute  a  decision  on  the  proposed  program  and  no  final  solution  appears 
imminent. 


Implications  and  risks  if  recommendations  not  implemented 

With  the  passage  of  time,  the  Department  continues  to  be  exposed  to  the  risk  of 
obtaining  inadequate  security  for  conservation  and  reclamation  activ  ity  which 
may  result  in  additional  costs  to  the  province. 

2.    Contaminated  sites — implemented 
Background 

Although  we  use  the  term  "contaminated  site,"  it  should  be  noted  that  the 
Department's  information  system  includes  sites  at  which  contamination  is  not 
confirmed  or  has  been  remediated. 

Under  the  EPEA,  the  Department  is  responsible  for  regulating  contaminated 
sites  throughout  the  province.  The  responsibility  includes  assessing,  designating 
and  approving  site  remediation  activities. 

In  our  2005-2006  Annual  Report  (No.  29 — page  87).  we  repeated  our 
recommendation,  first  made  in  2003,  that  the  Department  implement  an 
integrated  information  system  to  track  contaminated  sites  in  Alberta. 

At  the  time  of  the  present  audit,  the  Department  possessed  records  for 
approximately  9,000  sites  with  some  level  of  em  ironmental  site  assessment 
activitv. 


System  has  been 
developed 


Our  audit  findings 

The  Department  has  implemented  an  electronic  system  to  manage 
environmental  site  assessment  information  in  the  province. 


All  regions  of 
province  are 
contained  in  the 
system 


The  scanned  documentation  can  be  easily  accessed  by  stakeholders  and  the 
public  though  the  Environmental  Site  Assessment  Repository  (ESAR)  at 
http://www.esar.alberta.ca.  While  ESAR  provides  access  to  most  of  the 
documentation  in  the  files,  some  indiv  idual  documents  are  only  available  upon 
request  due  to  confidentiality  reasons.  ESAR  alerts  users  when  such  documents 
are  present. 
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The  Department  is  presently  developing  an  electronic  application  that  will 
provide  analysis  and  summary  reporting  of  environmental  site  assessment 
information  across  the  province.  We  have  observed  clear  evidence  of  progress 
on  this  project. 

In  summary,  we  have  concluded  that  our  criteria  have  in  substance  been  met. 

3.    Climate  Change  and  Emissions  Management  Fund— implemented 

In  our  October  2008  Public  Report  (No.  27— page  261 ),  we  recommended  that 
the  Department  implement  processes  to  comply  with  the  Ministry  of  Treasury 
Board's  deadlines  for  completion  of  the  Climate  Change  and  Emission 
Management  Fund's  financial  statements.  We  also  recommended  that 
management  prepare  the  Fund's  financial  statements  on  an  accrual  basis. 

Our  audit  findings 

The  Ministry  implemented  this  recommendation.  Both  the  2007-2008  and 
2008-2009  financial  statements  were  prepared  on  the  accrual  basis  and  the 
Department  met  the  deadline. 


Financial  statements 

aUudhor'sopinions    °Ur  audit01',s  °Pinions  on  the  financial  statements  of  the  Ministry  and  the 
Department  for  the  year  ended  March  31,  2009  are  unqualified. 

Our  auditor's  opinion  on  the  financial  statements  of  the  Climate  Change  and 
Emissions  Management  Fund  for  the  two  years  ended  March  31,  2009  is 
unqualified. 

Performance  measures 

l  nquaht^d  The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

engagement  report    2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Executive  Council 


Past  por  anv  outstanding  recommendations  previously  made  to  Executive  Council 


recommendations 


please  see  our  outstanding  recommendations  list  on  page  335. 


Financial  statements 

Unqualified  Qur  auditor's  opinion  on  the  Ministry's  financial  statements  for  the  year  ended 

auditor's  opinion  ,  ,  ^  js  unquaHfied 

Performance  measures 

Unqualified  j|ie  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 


review 

engagement  report 


these  measures. 
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Finance  and  Enterprise 

Summary 

Department  The  Department  should: 

•  improve  its  quality  control  review  process  for  the  Ministry  annual  report— see 
page  2 1 4 

•  have  signed  contract  agreements  in  place  before  goods  or  sen  ices  are 
supplied — see  page  216 

The  Department  has  implemented  the  following  recommendations: 

•  our  2008  recommendation  to  develop  a  process  to  ensure  complete,  accurate 
and  timely  recording  of  Alberta  Heritage  Scholarship  Fund  donation  revenue 
see  page  2 1 8 

•  our  2008  recommendation  to  work  with  its  service  provider  to  ensure  that 
payroll  bank  reconciliations  are  promptly  prepared  and  re\  iewed — see  page  2  I  8 

•  our  2005-2006  recommendation  to  assess  the  costs  and  risks  associated  w  ith 
Supplementary  Retirement  Plans  (SRPs) — see  page  219 

ATB  Alberta  Treasury  Branches  should: 

•  ensure  its  control  objectives  have  been  met  before  the  core  banking  project  is 
complete — see  page  2 1 9 

•  develop  a  process  to  ensure  its  business  units  adopt  and  follow  an  organization- 
wide  IT  governance  and  control  framework    see  page  222 

•  strengthen  its  processes  for  confirming  it  complies  with  the  Outsourcing 
Guideline — see  page  226 

•  improve  its  service  provider  control  monitoring  processes — see  page  227 

Alberta  Treasury  Branches  has  implemented  the  following  recommendations: 

•  our  2006-2007  recommendation  to  implement  an  effective  organization-wide 
IT  control  framework — see  page  224 

•  our  2004-2005  recommendation  to  ensure  its  branch  processes  comply  with 
corporate  policies  and  procedures  (originally  made  in  1999-2000,  subsequently 
repeated  four  times) — see  page  229 

•  our  2002-2003  recommendation  that  management  ensure  its  lending  practices 
comply  with  Alberta  Treasury  Branches  policies  and  procedures  (repeated 
twice) — see  page  229 

•  our  October  2008  recommendation  that  management  improve  controls  for 
capturing  non-consumer  risk  ratings  in  Synergy — see  page  229 

•  our  2006-2007  recommendation  to  annually  validate  the  general  loan  loss 
allowance  model  against  actual  loss  data  and  modify  the  model  based  on  the 
results — see  page  229 
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AIMCo 


ACFA 


ASC 


Past 

recommendations 


Alberta  Investment  Management  Corporation  should: 

•  re-establish  an  internal  audit  group — see  page  232 

•  establish  a  process  to  estimate  current  market  values  for  private  and  hedge  fund 
investments — see  page  233 

•  work  with  the  Department  to  ensure  timely  recording  of  financial  statement 
accounting  adjustments  and  co-ordination  of  private  investment  valuation 
changes — see  page  235 

•  improve  its  processes  to  achieve  increased  efficiency  in  its  own  financial 
reporting — see  page  236 

Alberta  Investment  Management  Corporation  has  implemented  the  following 
recommendations: 

•  our  2008  recommendation  to  resolve  conflicting  job  responsibilities  of  its  Chief 
Internal  Audit  and  Compliance  Officer — see  page  239 

•  our  2008  recommendation  to  improve  its  processes  for  setting  up  and 
maintaining  approved  counterparties  in  the  swap  database  system — 
see  page  240 

•  our  2008  recommendation  to  improve  its  investment  performance  information 
review  processes — see  page  240 

Alberta  Capital  Finance  Authority  has  implemented  our  2008  recommendation  to 
extend  deadlines  for  finalizing  financial  statements  and  completing  the  financial 
statement  audit — see  page  241 

Alberta  Securities  Commission  has  implemented  our  2008  recommendation  to 
clarify  its  purchase  policy  to  ensure  it  complies  with  TILMA— see  page  241 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    Department  of  Finance  and  Enterprise 

1.1  Quality  control  process  over  review  of  information  in  the  annual  report 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  improve 
its  quality  control  review  process  over  the  financial  statements  information 
in  the  Ministry  annual  report. 
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Ministry's  annual 
report  is  large  and 
complex 


Background 

The  Alberta  Finance  2007-2008  Annual  Report  includes  3 1  sets  of  financial 
statements  for  the  entities  that  comprise  the  Ministry  of  Finance  and  Enterprise. 
The  Auditor  General  audits  30  of  these  entities;  a  public  accounting  firm  audits 
the  Alberta  Insurance  Council's  financial  statements. 


Review  should 
ensure  accurate 
information 


Criteria:  the  standards  we  used  for  our  audit 

Financial  information  reported  in  the  Ministry's  annual  report  should  be 
accurate  and  complete.  Good  business  practices  for  reporting  and  reviewing 
financial  information  include  a  final  independent  review  of  the  financial 
information  to  ensure  that  it  is  accurate  and  complete. 

The  2007-2008  Ministry  Annual  Report  Standards  (section  D)  indicated  that  a 
draft  annual  report  should  be  submitted  to  our  Office  by  July  1 1 ,  2008.  This 
draft  annual  report  should  essentially  be  a  final  report  which  has  been  subjected 
to  quality  review  within  the  Ministry. 


Several  errors 
identified 


Our  audit  findings 

During  our  review  of  the  Ministry's  2007-2008  draft  annual  report.  \\  e 
identified  several  errors  that  were  not  detected  during  the  ministry's  quality 
control  review  process.  Some  of  these  errors  were  replicated  in  the  blueline 
version  of  the  annual  report.  Weaknesses  we  identified  include  the  following: 

•  The  "Auditor  General  of  Alberta"  word  mark  appeared  on  the  auditor's 
report  to  the  Members  of  the  Alberta  Insurance  Council.  The  Auditor 
General  is  not  the  auditor  for  this  entity.  This  auditor's  report  was  issued 
by  a  public  accounting  firm.  In  addition,  this  auditor's  report  was  not 
dated. 

•  In  several  cases,  the  wording  in  the  auditor's  reports  differed  from  the 
wording  in  the  official  auditor's  reports  we  issued  to  entities.  Words  were 
incorrectly  substituted,  omitted  or  inserted. 

•  In  some  cases,  the  dates  in  the  auditor's  reports  were  changed.  For 
example,  although  the  official  auditor's  report  to  shareholders  of 
Gainers  Inc.  was  signed  on  December  20,  2007,  the  version  in  the 
Ministry's  annual  report  was  dated  May  16,  2008.  In  addition,  the  year  end 
date  in  the  annual  report  version  was  reported  as  March  31,  2008  although 
the  actual  year  end  date  was  September  30,  2007. 

•  In  several  cases,  the  financial  statements  and  notes  contained  replication 
errors.  For  example,  numbers  were  missing  in  some  columns,  incorrect 
titles  were  used  for  some  statements,  spelling  mistakes  were 
included,  notes  appeared  in  the  wrong  order,  and  incorrect  narrative 
appeared  in  some  financial  statement  notes. 
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Contracts  should 
be  signed  before 
work  starts 


In  these  cases,  the  financial  information  included  in  the  draft  annual  report  did 
not  use  the  approved  text  in  the  final  financial  statements  (i.e.,  the  final  version 
that  is  covered  by  the  signed  auditor's  report). 

Implications  and  risks  if  recommendation  not  implemented 

Lack  of  a  strong  quality  control  system  could  result  in  inaccurate  and 
incomplete  financial  statements  information  in  the  Ministry  annual  report. 

1 .2  Contract  agreements 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  have 
signed  contract  agreements  in  place  before  goods  or  services  are  supplied. 

Background 

The  Department's  policy  is  to  contract  for  goods,  services,  and  facilities  when: 

•  it  is  of  economic  benefit  to  the  Department, 

•  the  goods  and  services  are  essential  for  clients,  and 

•  contracting  is  in  accordance  with  overall  government  practice. 

The  contracts  policy  states  that  no  contractor  can  be  engaged  to  provide  goods 
or  services  before  signing  a  formal  contract  agreement.  The  policy  specifies 
contract  approval  limits.  Appropriate  approval  must  be  obtained  before  signing 
a  contract  or  changing  an  existing  contract. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  ensure  that: 

•  appropriate  approval  is  in  place  before  entering  into  a  contract 

•  legally  enforceable  contracts  are  in  place  that  define  the  roles  and 
responsibilities  of  both  parties  before  a  contractor  supplies  goods  or 
services 


Contracts  signed 
after  contract  start 
date 


Our  audit  findings 

We  selected  10  consulting  contracts  for  testing.  We  identified  that  in  four  cases, 
the  Department  had  signed  the  contract  agreement  after  the  contract's  start  date. 
The  delay  in  signing  ranged  from  19  days  to  40  days  and  the  contract  amounts 
ranged  from  $75,000  to  $572,000. 

We  understand  that  the  Department  of  Justice  clarified  the  intent  of  clause  7  in 
the  Department's  standard  contract  template,  which  specifies  the  contract  start 
date.  Justice  advised  that  clause  7  requires  a  written  agreement,  executed  at  the 
earliest  possible  time  after  the  start  date,  to  be  in  place  if  there  is  justification 
for  a  delay.  We  did  not  find  any  documentation  explaining  the  delays  in  signing 
the  four  contracts. 
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We  also  noted  that  in  tour  eases  the  contract  approval  form  required  by  the 
Department's  policy  was  signed  after  the  contract's  start  date.  The  contract 
approval  form  provides  evidence  that  the  Department  has  completed  its  due 
diligence  before  entering  into  a  contract. 


Management 
succession  plan 
needed 


Implications  and  risks  if  recommendation  not  implemented 

Without  a  signed  contract  in  place,  the  parties'  rights  and  responsibilities  are 
not  clearly  defined. 

1.3  Financial  reporting  processes  and  succession  planning — Investment 
Accounting  and  Reporting  Group — progress  report 
Background 

Last  year,  in  our  October  2008  Report  (page  268),  we  recommended  that  the 
Investment  Accounting  and  Reporting  (IAR)  Group  of  the  Department  of 
Finance  and  Enterprise  improve  the  timeliness  of  its  financial  reporting  and 
decrease  workloads  by  recruiting  skilled  personnel  w  ith  expertise  in  investment 
accounting,  allocating  sufficient  time  for  management  review,  and  creating  a 
management  succession  plan. 


The  IAR  group  is  responsible  for  the  financial  reporting  of  the  investment 
clients  of  Alberta  Investment  Management  Corporation  (AIMCo).  They  prepare 
endowment  fund  financial  statements,  and  financial  statement  information  for 
the  pension  plans  and  other  government  entities  investing  with  AIMCo.  On  a 
monthly  basis,  IAR  prepares  bank  reconciliations,  reviews  investment 
transactions  and  prepares  financial  reports  for  approximately  60  investment 
pools. 


Financial  Services 

division 

restructured 


Management  actions 

The  Financial  Services  division  of  the  Department  was  restructured  and 
additional  resources  were  obtained  so  that  priorities  could  be  met  and  training 
provided  to  new  and  existing  staff.  The  new  resources  will  form  part  of  the 
succession  plan  in  the  IAR  group. 


Draft  financial  statements,  working  papers  and  bank  reconciliations  were 
provided  to  the  auditors  in  accordance  with  deadlines  which  were  earlier  than 
the  previous  year. 


To  fully  implement  this  recommendation,  IAR  needs  to  ensure  that  a 
management  succession  plan  is  established  for  the  group. 
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1.4  Donated  funds— Alberta  Heritage  Scholarship  Fund— implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  270),  we  recommended  that  the 
Department  of  Finance  and  Enterprise  develop  a  process  to  ensure  complete, 
accurate  and  timely  recording  of  Alberta  Heritage  Scholarship  Fund  donation 
revenue. 


New  process  for 
donation  revenue 


The  Alberta  Heritage  Scholarship  Fund  receives  contributions  from  other 
ministries  and  government  departments  for  specific  scholarship  programs.  Last 
year,  a  program  administered  by  the  Department  of  Advanced  Education  and 
Technology,  expensed  matching  scholarship  donations  and  recorded  a 
corresponding  liability  without  notifying  the  Scholarship  Fund. 

Our  audit  findings 

Management  put  in  place  a  new  process  for  confirming  donation  revenue  with 
the  Department  of  Advanced  Education  and  Technology. 

1.5  Payroll  bank  reconciliations— implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  271 )  we  recommended  that  the 
Department  of  Finance  and  Enterprise  work  with  its  service  provider  to  ensure 
that  bank  reconciliations  for  the  government's  payroll  disbursement  bank 
account  are  promptly  prepared  and  reviewed. 

Our  audit  findings 

The  Department's  discussions  with  its  service  provider  revealed  that  personnel 
issues  impeded  their  ability  to  promptly  complete  the  payroll  disbursement 
bank  reconciliations.  The  service  provider  subsequently  resolved  the  personnel 
issues  and  now  has  two  people  assigned  to  deal  with  payroll  disbursement  bank 
account  matters. 


Bank 

reconciliations 
now  promptly 
prepared 


We  reviewed  the  payroll  disbursement  bank  reconciliations  for  July  2008  to 
December  2008.  We  noted  that  the  service  provider  is  now  preparing 
these  monthly  bank  reconciliations  within  the  timelines  specified  by  the 
Banking  Operations  Agreement.  The  Department  obtained  the  supporting 
documents  for  items  included  on  the  reconciliations  and  completed  its  own 
reviews  on  a  timely  basis. 
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1.6  Disclosing  Supplementary  Employee  Retirement  Plans  (SRPs) — 
implemented 
Background 

In  our  2005  2006  Annual  Report  (No.  30 — vol.  2,  page  97),  we  recommended 
that  the  Department  of  Finance  review  Treasury  Board  directives  to  ensure  that 
the  amount  disclosed  as  the  total  compensation  of  each  senior  executiv  e 
includes  Supplemental")  Fmployment  Retirement  benefits  earned  in  the  year.  In 
our  2006-2007  Annual  Report  (page  181 )  we  reported  that  management 
implemented  our  recommendation. 

We  also  recommended  in  our  2005  2006  Annual  Report  (No.  30 — vol.  2, 
page  97)  that  the  Department  assess  the  costs  and  risks  associated  with 
Supplementary  Retirement  Plans  (SRPs). 

Our  audit  findings 

Pre-lunding  jfoc  Department  completed  its  assessment  of  the  costs  and  risks  associated  with 

requirLti  SRPs  and  concluded  the  risks  associated  with  SRPs  would  be  essentially 

eliminated  if  SRPs  were  pre-funded — that  is,  each  public  sector  entity  had 
sufficient  assets  set  aside,  either  in  earmarked  assets  or  a  retirement 
compensation  arrangement  under  the  Income  Tax  Aet\  to  cover  the  costs 
associated  with  its  SRPs. 


Treasury  Board  has  drafted  a  directive  that  would  require  pre-funding  of  SRPs 
based  on  their  actuarial  cost.  Once  the  directive  has  been  issued,  Treasury 
Board  will  need  to  monitor  and  enforce  compliance  w  ith  the  directive. 

In  our  2008  October  Report  (page  47),  we  reported  on  executive  compensation, 
including  SRPs.  Further  discussion  of  SRPs  as  a  component  of  executive 
compensation  is  on  page  25  of  this  report. 


ATB 

implementing 
SAP  banking 
system 


2.   Alberta  Treasury  Branches 
2.1  SAP  core  banking  system  implementation 
Background 

ATB  is  implementing  a  new  SAP  banking  system  that  includes  a  full  suite  of 
financial,  banking  and  support  modules.  This  project,  known  as  Core,  will 
transform  ATB's  banking  system,  financial  reporting  systems,  internet  and 
telephone  banking  applications.  ATB  installed  the  major  components  of  its 
current  banking  system  in  the  mid-1980s.  A  banking  system  is  the  way  a  bank 
keeps  track  of  loans  and  deposits.  The  Core  project  will  integrate  ATB's 
banking  systems  with  its  financial  reporting  and  customer  access  systems. 
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Operational 
benefits  expected 


Project  budget  is 
$160  million 


We  audited 
functional  design 
process 


Blueprint  is  the 
key  output 


Understanding 
functionality  is 
critical 


ATB  expects  to  see  significant  operational  benefits  from  its  new  system  and  to 
provide  better,  more  efficient  services  to  its  customers.  In  introducing  this  new 
technology,  ATB  will  also  transform  many  of  its  business  processes  to  create 
operational  efficiencies  and  reduce  manual  processes. 

The  Core  project  was  budgeted  at  $160  million.  Its  scheduled  completion  date 
is  April  2010. 

What  we  did 

We  audited  the  functional  design  process  ATB  followed  for  the  SAP  finance 
modules,  which  include  accounts  payable,  fixed  asset  and  general  ledger 
modules.  ATB's  internal  audit  group  performed  a  similar  audit  for  the  SAP 
banking  modules. 

A  functional  design  process  confirms  the  business  requirements  to  be  included 
in  the  system  before  designing  the  system.  A  system  blueprint  is  the  key  output 
of  the  functional  design  process.  That  blueprint  is  then  used  to  build  the  system. 

ATB's  approach  is  to  minimize  the  need  for  customization;  it  is  purchasing  the 
SAP  financial  system  for  its  existing  functionality.  The  critical  step  for  ATB  is 
to  fully  understand  the  functionality,  including  the  controls,  in  the  new  SAP 
finance  modules  and  consider  how  those  should  be  used. 

In  this  audit,  we  assessed  whether  ATB  management: 

•  asked  knowledgeable  ATB  staff  to  review,  analyze  and  document  ATB's 
finance  processes 

•  considered  all  significant  finance  requirements  at  the  functional  design 
stage 

•  considered  external  requirements,  internal  policies  and  internal  controls  as 
part  of  the  functional  design  process 

•  ensured  that  appropriate  ATB  staff  or  committees  reviewed  and  approved 
the  finance  functional  design 

What  we  found 

•  Knowledgeable  ATB  staff  analyzed  and  documented  ATB's  finance 
processes. 

•  Except  for  our  concerns  related  to  controls  (see  our  recommendation  on 
page  22 1 ),  ATB  identified  and  considered  its  business  process 
requirements  and  included  them  in  the  design  of  the  finance  module. 

•  ATB  management  considered  internal  policies  such  as  business  rules. 
How  ever,  ATB  was  unable  to  provide  evidence  that  it  had  sufficiently 
considered  controls  in  the  functional  design  stage. 
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•     Blueprint  documents  were  the  main  output  of  the  finance  functional  design 
process.  These  documents  were  appropriately  reviewed  and  approved  by 
ATB  staff. 

Conclusion 

For  our  audit  to  have  a  timely  impact  on  this  large  project,  our  findings  need  to 
be  dealt  with  before  the  project  is  complete.  Therefore,  we  have  advised  the 
Strategic  Steering  Committee2  they  should  receive  the  appropriate  assurances 
from  the  project  leadership  team  that  the  organization's  control  objectives  have 
been  satisfied  before  the  user  acceptance  testing  phase  of  the  project  is 
complete.  Management  has  agreed  to  act  on  our  advice.  At  this  point,  there  is 
sufficient  time  before  the  transition  date  for  the  internal  control  matters  u  e  have 
identified  to  be  dealt  with. 

Internal  controls 
Recommendation 

We  recommend  that  the  Alberta  Treasury  Branches  Strategic  Steering 
Committee  receive  the  appropriate  assurance  from  the  project  leadership 
team  that  the  organization's  control  objectives  have  been  satisfied  before 
the  user  acceptance  testing  phase  of  the  project  is  complete. 


Control 

framework  helps 
organize  eontrols 


Background 

A  control  framework  is  a  logical  way  to  organize  controls  over  business 
processes  (such  as  financial  reporting  or  accounts  payable)  to  manage  specific 
risks  that  may  weaken  an  organization's  ability  to  meet  its  objectives.  A  control 
framework  generally  consists  of  control  objectives  that  align  with  identified 
risks.  Organizations  then  identify  their  own  specific  controls  to  meet  these 
control  objectives. 


Criteria:  the  standards  we  used  for  our  audit 

In  its  functional  design  process,  ATB  should  use  a  control  framework  that 
identifies  ATB's  control  objectives  and  related  controls  that  support  its  finance 
business  processes  and  mitigate  risks. 


Control 
framework  not 
applied 


Our  audit  findings 

In  its  finance  module  functional  design  process,  ATB  did  not  apply  a  control 
framework  that  matched  ATB's  business  process  control  objectiv  es  to  the 
controls  within  the  new  SAP  finance  modules. 


2  The  Strategic  Steering  Committee  prov  ides  oversight  to  the  Core  banking  project.  The  Committee  consists  of  senior 
executives  within  ATB.  ATB's  Chief  Executive  Officer  chairs  the  Committee. 
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In  2007-2008,  ATB's  internal  control  group  used  a  control  framework  to 
identify  and  document  control  objectives  and  controls  for  ATB's  accounts 
payable,  fixed  asset  and  financial  reporting  business  processes.  ATB  did  not  use 
this  control  framework  in  the  finance  functional  design  process.  Therefore,  it 
has  not  ensured  that  controls  within  the  new  SAP  finance  module  will  align 
with  ATB's  control  objectives  and  will  mitigate  significant  risks.  Our 
discussions  with  the  internal  control  group  indicate  they  have  had  only  minimal 
involvement  to  date  with  the  project  team. 

In  our  2008  October  Report  (page  278),  we  recommended  that  ATB  validate 
and  approve  business  processes  and  internal  control  documentation  developed 
by  its  internal  control  group  and  that  ATB  resolve  identified  internal  control 
weaknesses.  Management  indicated  they  would  use  the  internal  control  group's 
documentation  in  the  Core  banking  project  to  ensure  that  the  design  of  the 
finance  modules  would  correct  existing  control  weaknesses.  ATB  was  unable  to 
provide  us  with  evidence  that  this  was  done  during  the  finance  module 
functional  design  process. 

Implications  and  risks  if  recommendation  not  implemented 

Internal  controls  that  meet  ATB's  control  objectives  and  mitigate  significant 
risks  may  not  be  in  place  when  the  new  SAP  finance  module  goes  live  in  2010. 

2.2  Information  technology  internal  control  recommendations 
2.2.1  Organization-wide  information  technology  oversight 
Recommendation  No.  24 

We  recommend  that  Alberta  Treasury  Branches  improve  the  efficiency 
and  effectiveness  of  its  computing  environment  by  developing  a  process  to 
ensure  all  ATB  Business  Units  adopt  and  follow  an  organization-wide 
Information  Technology  governance  and  control  framework. 

Background 

Information  technology  (IT)  governance  is  a  set  of  IT  control  processes, 
activities  and  standards  that  must  be  in  place  to  ensure  that  an  organization 
implements  appropriate  systems  and  applications  and  to  prevent  financial  or 
information  loss  or  unauthorized  changes  in  an  organization.  An  efficient  and 
effective  organization-wide  IT  governance  program  and  control  framework, 
with  well-designed  control  processes,  would  allow  ATB  to  provide  secure  and 
reliable  services  to  clients  and  staff  when  needed. 

ATB  uses  a  decentralized  approach  to  IT,  with  distinct  Business  Units  that 
provide,  host  or  administer  some  form  of  services  through  IT  or  other  sources 
to  clients  and  staff. 


Previous  work  on 
control  framework 
not  used 
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Decentralized  1 1 
requires  strong  IT 
co\  ernanee 


Decentralized  IT  may  work  well  to  quickly  deliver  programs  or  services,  but  it 
poses  unique  challenges  for  the  efficient  use  of  corporate  funds,  infrastructure, 
risk  management  and  the  security  of  ATB  client  information.  It  requires  a 
strong  IT  governance  and  compliance  program  applied  across  all  Business 
Units  to  reduce  inherent  inefficiencies,  security  vulnerabilities  and  risks. 


Criteria:  the  standards  we  used  for  our  audit 

ATB  should  have  a  well-designed  and  effectively  applied  IT  governance  model 
and  IT  control  framew  ork  to  manage  and  control  Business  Unit  IT,  and  a 
central  authority  to: 

•  define  and  provide  overall  business  priorities,  divisional  IT  investment 
allocations,  IT  principles  and  standards,  and  high-level  governance  and 
decision  making  over  the  entire  computing  environment 

•  ensure  that  IT  expenditures  and  resource  allocations  are  sufficient  to  meet 
ATB's  overall  priorities,  and  are  used  efficiently 

•  ensure  that  IT  controls  and  standards  provide  sufficient  structure  to  ensure 
complete,  accurate,  reliable  and  secure  development  and  deployment  of 
systems,  applications  and  data 

Our  audit  findings 

In  our  2006-2007  Annual  Report  (vol.  2 — page  97),  we  recommended  that 
ATB  implement  an  effective,  organization-wide  IT  control  framew  ork.  We 
concluded  ATB  has  implemented  this  recommendation  (see  section  2.2.2). 
However,  ATB  still  cannot  demonstrate  that  all  ATB  Business  Units  have 
applied  its  IT  control  framework  and  that  the  IT  controls  are  well-designed  and 
operating  effectively. 


ATB  cannot  attest 
to  consistent  IT 
controls 


We  noted  Business  Unit's  IT  controls  and  standards  vary  and  are  not 
consistently  applied.  Each  Business  Unit  manages  its  own  IT  policies  and 
practices  as  they  deem  appropriate  for  their  systems  and  applications.  As  a 
result,  ATB  cannot  attest  that  the  confidentiality,  integrity  and  av  ailability  of  all 
key  application  systems — and  the  data  stored  and  processed  in  them  is 
adequately  managed. 


To  implement  this  recommendation,  we  expect  ATB  to  demonstrate  that: 

•  a  centralized  authority  ensures  IT  controls  and  standards  arc  implemented 
throughout  the  organization 

•  a  centralized  authority  can  assert  that  ATB's  IT  control  framew  ork  is  being 
consistently  followed  throughout  the  entire  organization  and  that  IT 
controls  are  operating  effectively 
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Business  Units  assess  their  IT  controls  and  provide  a  "sub-certification"  to 
a  central  authority  that  their  IT  controls  are  well-designed  and  operating 
effectively 

•  there  is  specific  accountability  for  each  IT  control  in  each  Business  Unit 
ATB  must  also  be  able  to: 

•  provide  us  with  a  project  plan  and  a  completion  date  for  implementing  an 
IT  control  framework  that  operates  effectively  throughout  all  Business 
Units 

•  conduct  an  IT  risk  assessment  throughout  all  Business  Units,  identify  and 
assess  risks  that  are  or  can  be  mitigated  through  well-designed  and 
effective  IT  controls,  and  then  ensure  that  they  are  being  properly  mitigated 

Implications  and  risks  if  recommendation  not  implemented 

Without  consolidated  Business  Unit  IT  governance  and  controls  processes,  or  a 
central  authority  to  ensure  they  are  met,  ATB  cannot  demonstrate  its  IT  control 
framework  has  been  implemented  across  the  organization  and  operates 
effectively. 

2.2.2  IT  control  framework — implemented 

In  our  2006-2007  Annual  Report  (vol.  2— page  97),  we  recommended  that 
ATB  implement  an  effective,  organization-wide  IT  control  framework. 

Our  audit  findings 

ATB  substantially  implemented  this  recommendation  within  the  IT  Service 
Department  Business  Unit  by: 

•  adopting  an  IT  control  framework  based  on  COBIT  4. 1 

•  developing  and  (is)  implementing  control  processes  through  its  IT  control 
framework  to  mitigate  risks  and  support  business  goals  and  objectives 

•  promoting  the  IT  control  framework  for  the  entire  organization  via  the 
Business  Unit  line  managers 

Now  that  IT  has  implemented  a  control  framework,  it  needs  to  apply  that 
control  framework  consistently  and  to  IT  within  all  ATB  business  units. 
Therefore,  we  make  a  new  recommendation  this  year— Organization-wide 
information  technology  oversight  (see  section  2.2.1)— about  ensuring  IT 
controls  are  consistently  implemented  and  operating  effectively  throughout 
ATB. 
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ATB  changed  its 
service  provider 


2.3  Service  provider  transition 
Background 

During  summer  2008,  Alberta  Treasury  Branches  changed  ser\  ice  providers  for 
night  depository  and  treasury  processing,  from  one  outsourced  service  provider 
to  another.  These  services  included  handling  and  processing  physical  cash, 
reconciling  and  settlement  of  information  for  automated  banking  machine  and 
nightly  deposit  transactions,  and  delivering  cash  to  branches.  ATB  Central 
Services  is  the  business  owner  of  ATB's  relationship  with  the  service  pro\  icier. 


Problems  \\  ith 
transaction 
processing  created 
a  reconciliation 
difference  of  over 
S 1 .6  million 


Observation 

We  visited  ATB  Central  Services  in  November  2008  and  noted  problems  with 
its  daily  reconciliations  between  cash  collected  and  processed  by  the  service 
provider  and  cash  recorded  in  ATB's  general  ledger.  The  service  prov  ider 
creates  daily  transaction  blotters  of  activity  and  sends  them  to  ATB.  For 
multiple  days  between  August  2008  and  November  200S.  the  transaction 
blotters  did  not  balance  to  the  general  ledger,  and  ATB's  suspense  accounts 
were  not  cleared.  ATB  initiated  a  remediation  project  in  November  2008  to 
reconcile  various  affected  general  ledger  accounts.  At  March  3 1 .  2009.  ATB 
had  not  yet  reconciled  the  differences  in  the  accounts  to  an  acceptable  level;  the 
net  unreconciled  differences  were  still  over  $1.6  million. 


Manual  processes 
needed  to  correct 


errors 


Significant  manual  processes  had  to  be  put  in  place  at  ATB  Central  Sen  ices  to 
correct  errors  that  resulted  from  the  transition  to  a  new  service  prov  ider.  For 
example,  we  noted  the  service  provider  was  producing  inaccurate  customer 
letters,  which  ATB  staff  had  to  intercept  to  prevent  them  from  being  sent  to 
ATB  customers. 


Operational 
impacts  not  fully 
assessed 


Project 

governance  needs 
improvement 


ATB's  Internal  Audit  performed  a  post-implementation  audit  of  the  transition. 
The  issues  identified  by  ATB's  Internal  Audit  included: 

•  ATB  had  not  adequately  assessed  or  managed  the  operational  requirements 
for  this  transition.  The  new  outsourcer's  staff  v\  ere  overw  helmed  by  and 
unable  to  handle  the  volume  of  transactions.  This  led  to  cash  shortages  at 
branches,  incorrect  cash  parcels  delivered  and  late  or  missing  cash 
deliveries,  night  deposits  not  processed  correctly  or  promptly,  and  manual 
workarounds,  and  balancing  and  reconciling  problems. 

•  ATB  provided  inadequate  project  governance.  ATB's  project  management 
office  was  not  engaged  and  a  project  management  methodology  was  not 
adopted.  Project  scope  was  changing  or  incomplete.  The  project's  go-live 
date  led  to  unrealistic  timelines. 


We  encourage  ATB  management  to  evaluate  and  learn  from  the  difficulties  it 
encountered  with  this  service  provider  transition. 
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2.4  Process  for  confirming  compliance  with  Alberta  Finance  and  Enterprise 
guidelines— recommendation  repeated 

While  significant  progress  has  been  made,  we  repeat  this  recommendation 
because  Alberta  Treasury  Branches  has  not  yet  implemented  an  effective 
process  to  identify  material  outsourcing  agreements.  We  believe  this  is  a  critical 
step  in  the  process. 

Recommendation  No.  25 — repeated 

We  again  recommend  that  Alberta  Treasury  Branches: 

•  improve  the  processes  for  confirming  its  compliance  with  Alberta 
Finance  and  Enterprise's  Outsourcing  of  Business  Activities,  Functions 
and  Processes  Guideline 

•  review  and  assess  the  appropriateness  of  the  ATB  staff  responsible  for 
ensuring  compliance  with  Alberta  Finance  and  Enterprise  guidelines 

Background 

We  originally  made  this  recommendation  in  our  2006-2007  Annual  Report 
(No.  26— vol.  2,  page  94). 

Criteria:  the  standards  we  used  for  our  audit 

ATB  should  have  systems  and  processes  in  place  to  ensure  it  complies  with 
Alberta  Finance  and  Enterprise's  Guideline,  including  systems  and  processes 
to: 

•  evaluate  the  risks  of  all  existing  and  proposed  outsourcing  arrangements 

•  assess  the  materiality  of  outsourcing  arrangements 

•  implement  a  program  for  managing  and  monitoring  risks,  depending  on  the 
materiality  of  the  arrangements 

•  ensure  that  ATB's  Board  of  Directors  receives  sufficient  information  to 
meet  its  duties  under  the  Guideline 


Progress  made  but 
further  work 
needed 


Inappropriate 
override  exists 


Our  audit  findings 

We  reviewed  ATB's  process  to  identify  material  outsourcing  arrangements.  In 
our  opinion,  ATB  has  not  fully  implemented  this  recommendation.  While 
progress  was  made,  such  as  managing  and  monitoring  risks  of  identified 
material  outsources  and  reporting  on  the  status  of  material  outsourced 
agreements,  further  improvements  are  necessary  to  the  critical  process  of 
identifying  material  outsourcers. 

Assessment  of  the  materiality  of  proposed  outsourcing  arrangements 

ATB  uses  a  scorecard  system  to  determine  whether  an  agreement  is  classified 
as  material  and  therefore  subject  to  Finance  and  Enterprise's  Guideline.  If  a 
score  of  50  out  of  100  is  achieved,  the  agreement  is  classified  as  material. 
However,  an  exception — that  acts  as  an  override — exists  to  deem  an  agreement 
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not  to  be  material  if  ATB  cannot  do  the  activity  itself.  We  believe  that  an 
outsourcing  agreement  exists  if  ATB  has  outsourced  a  particular  operational 
process  or  control  to  a  vendor.  ATB  should  then  use  the  criteria  in  the 
Guideline  to  determine  if  the  agreement  is  material  or  not.  If  ATB  cannot  do  the 
activity  itself,  an  exception  is  not  appropriate,  as  shown  in  the  following 
example,  which  occurred  in  2008  2009. 

In  August  2008,  ATB  changed  its  vendor  for  night  depository  and  treasury 
processing  services.  Although  the  arrangement  with  the  previous  vendor  was 
considered  a  material  outsourcing  agreement  and  the  new  outsourcing 
agreement  scored  75  out  of  100  on  the  assessment  scorecard.  ATB  deemed  the 
new  relationship  as  not  material.  Management  concluded  that  because  ATB 
could  not  perform  one  particular  function  internally,  the  whole  contract  was  not 
material.  In  our  opinion.  ATB  has  misclassified  the  materiality  of  this 
outsourcing  arrangement.  As  a  consequence  of  their  decision,  this  arrangement 
did  not  follow  the  same  monitoring  and  control  processes  applied  to  other 
material  outsourcers. 

To  implement  this  recommendation,  ATB  must  further  develop  its  processes  for 
identifying  material  outsourcing  relationships. 

Implications  and  risks  if  recommendation  not  implemented 

ATB  cannot  show  it  is  in  compliance  with  Alberta  Finance  and  Enterprise's 
Guideline.  ATB  is  ultimately  accountable  for  all  outsourced  activities.  Without 
proper  controls  and  processes,  ATB  may  be  unable  to  rely  on  the 
confidentiality,  availability,  completeness  and  validity  of  ATB  client  and 
financial  data  that  outsourcers  handle. 

2.5  Service  auditor  reports — user  control  considerations 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  its  processes 
related  to  service  providers  by  ensuring  its  business  areas: 

•  receive  service  provider  audit  reports 

•  rev  iew  service  provider  audit  reports  and  assess  the  impact  of 
identified  internal  control  weaknesses 

•  put  end-user  controls  in  place  to  complement  serv  ice  provider  controls 


ATB 

mis-classified  the 
outsource  provider 
as  "not  material" 
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Service  providers 
do  critical 
business  functions 


Service  provider 
controls  protect 
information  assets 


End-user  controls 
also  need  to  be  in 
place 


Monitoring 
processes  do  not 
exist 


Background 

ATB  uses  a  number  of  service  providers  to  process  transactions  and  carry  out 
critical  business  functions.  Where  services  are  outsourced  to  service 
providers— for  example,  cheque  clearing  processing— controls  and  processes 
are  performed  by  the  service  provider.  Although  ATB  can  outsource  a  portion 
of  its  control  environment  to  service  providers,  the  overall  responsibility  for 
these  controls  and  processes  remains  with  ATB. 

Service  auditor  reports  provide  information  and  assurance  that  a  service 
provider  has  appropriate  internal  controls  over  the  transactions  and  processes 
ATB  has  outsourced.  Significant  control  weaknesses  in  a  service  auditor's 
report  could  indicate  that  the  service  organization  is  unable  to  provide  ATB 
with  an  adequate  level  of  service  or  sufficiently  protect  its  information  assets. 
The  lack  of  a  service  auditor's  report  makes  it  difficult  for  ATB  to  gain 
assurance  over  the  service  provider's  control  environment. 

From  ATB's  perspective,  one  of  the  most  important  aspects  of  a  service  auditor 
report  is  the  end-user  control  considerations.  These  are  procedures  the  service 
organization  recommends  that  ATB  implement.  These  controls  complement 
controls  at  the  service  organization  to  enhance  the  level  of  control  over  ATB's 
transactions  and  data.  The  controls  at  ATB  and  the  service  organization  together 
comprise  the  overall  control  environment. 

Criteria:  the  standards  we  used  for  our  audit 

ATB  should  have  a  process  to: 

•  obtain  service  auditor  reports  from  significant  service  providers 

•  review  service  auditor  reports  to  assess  the  impact  of  internal  control 
deficiencies  identified  by  the  service  provider's  auditor 

•  evaluate  the  end-user  requirements  in  the  service  auditor  reports  to  ensure 
they  are  in  place 

Our  audit  findings 

We  found  that: 

•  ATB  lacked  a  process  to  ensure  that  all  service  auditor  reports  for 
significant  service  providers  are  obtained  and  reviewed  by  the  business 
areas 

•  ATB  had  not  evaluated  control  deficiencies  noted  in  these  reports  to  assess 
the  impact  on  ATB's  control  environment 

ATB  does  not  have  a  process  to  ensure  end-user  controls  identified  in 
service  auditor  reports  are  in  place  and  effective 
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Implications  and  risks  if  recommendation  not  implemented 

Operational  problems  with  outsourcing  arrangements  can  go  undetected  it*  ATH 
does  not  monitor  the  control  environment  of  its  outsourcers  and  design  and 
implement  the  end-user  controls  the  outsourced  service  pro\  ider  expects  A  I  B 
to  follow. 


2.6  Branch  compliance — implemented 

We  recommended  in  our  1999-2000  Annua/  Report  (No.  49 — page  281 )  that 
ATB  ensure  its  branch  processes  comply  with  corporate  policies  and 
procedures.  We  repeated  this  recommendation  four  times,  the  last  being  in  our 
2004  2005  Annual  Report  (No.  33-   page  195). 


Policies  and 
procedures 
updated  and 
compliance 
monitored 


ATB  implemented  the  recommendation  by  developing  sufficient  processes  to: 

•  develop  and  refine  policies  and  procedures,  and  publish  them  through  their 
intranet 

•  identify  areas  of  non-compliance  through  branch  audits  by  Internal  Audit 
and  visits  by  the  compliance  group 

•  coach  staff  in  areas  of  non-compliance  to  remediate  problems 


2.7  Lending  compliance — implemented 

In  our  2002  2003  Annual  Report  (No.  15 — page  1 19),  we  recommended  that 
management  ensure  its  lending  practices  comply  with  ATB  policies  and 
procedures.  We  repeated  this  recommendation  twice,  the  last  being  in  our 
2004-2005  Annual  Report  (No.  32— page  193). 


Policies  and 
procedures 
updated  and 
compliance 
monitored 


ATB  implemented  this  recommendation  by  establishing  several  key  initiatives 
to  reduce  non-compliance  with  ATB  lending  policies  and  procedures  to  an 
acceptable  level.  The  initiatives  include: 

•  developing  and  clarifying  policies  and  procedures 

•  conducting  ongoing  compliance  examinations 

•  establishing  a  loan  review  process  within  Central  Services 


Risk  rating 
process  was 
improved 


2.8  Non-consumer  risk  ratings  in  Synergy — implemented 

In  our  October  2008  Report  (page  277).  we  recommended  that  management 
improve  controls  for  capturing  non-consumer  risk  ratings  (NCRRs)  in  Synergy. 

ATB  has  implemented  this  recommendation  by  further  refining  the  process 
within  Corporate  Financial  Services  to  update  NCRRs  in  the  Synergy  banking 
system. 

2.9  General  loan  loss  allowance  (GLLA)  model  validation — implemented 

In  our  2006-2007  Annual  Report  (vol.  2 — page  99),  we  recommended  ATB 
annually  validate  the  GLLA  model  against  actual  loss  data  and  modify  the 
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model  based  on  the  results.  ATB's  GLLA  policy  specifies  that  it  will  conduct 
regular  peer  comparisons  to  benchmark  the  level  of  the  GLLA  relative  to  other 
financial  intermediaries.  We  also  recommended  that  ATB  report  the  validation 
results  and  controls  used  in  the  model  to  the  Audit  Committee. 


GLLA  model 
validation 


ATB  implemented  this  recommendation  by  validating  its  GLLA  model  against 
validation  ,        ,  D 

completed  actual  results^  performing  peer  benchmarking  and  reporting  the  results  of  the 

validation  to  the  Audit  Committee. 


3.   Alberta  Investment  Management  Corporation  (AIMCo) 

AIMCo  was  established  as  a  Crown  Corporation  on  January  1,  2008,  to  provide 
investment  management  services  to  various  Alberta  public  sector  pension, 
endowment  and  special  purpose  funds  through  a  corporate  structure.  Prior  to 
2008,  the  investments  were  managed  by  the  Department  of  Finance  and 
Enterprise.  AIMCo  manages  investments  with  a  market  value  of  more  than 
$68  billion,  including,  for  example,  the  portfolios  of  the  Local  Authorities 
Pension  Plan,  the  Heritage  Fund,  the  Alberta  Sustainability  Fund  and  the 
Consolidated  Cash  Investment  Trust  Fund.  The  investments  are  grouped  into 
investment  pools,  some  of  which  are  managed  internally,  and  others  by  external 
managers  selected  and  monitored  by  AIMCo. 

We  audit  AIMCo's  internal  controls  for  the  purpose  of  expressing  an  opinion 
on  the  financial  statements  of  the  investment  participants  for  fiscal  years  ending 
December  3 1  and  March  3 1 .  Our  work  is  done  centrally  at  the  pooled-fund 
level  and  includes  assessing  the  design  and  operating  effectiveness  of  internal 
controls  over  the  management  of  investments. 

Risk  management 

2008-2009  was  an  extraordinary  year  in  the  global  economy.  The  impact  of  the 
sub-prime  mortgage  crisis,  credit  collapse  and  ensuing  recession  was  felt 
around  the  world  and  continues  to  this  day.  The  resulting  plunge  in  world  stock 
markets  by  30%  to  40%  impacted  many  investors,  including  the  Alberta  public 
sector  investments  managed  by  AIMCo.  It  was  within  this  economic  climate 
that  our  audit  work  focused  on  controls  to  reduce  the  risk  of  investment  losses. 
We  identified  the  need  for  AIMCo  to  improve  its  measuring  and  monitoring  of 
enterprise  risk,  its  managing  of  derivative  and  credit  risk,  and  its  credit 
screening  processes  for  corporate  bond  purchases. 

As  we  were  auditing  internal  control  systems  in  the  latter  part  of  2008-2009, 
the  new  management  at  AIMCo  was  assessing  the  quality  of  those  systems  and 
by  means  of  a  new  business  plan,  identifying  the  areas  of  its  business  that 
needed  a  new  approach  in  terms  of  management  and  control.  By  the  spring  of 
2009,  subsequent  our  audit,  AIMCo  began  to  introduce  new  risk  management 


3.1 

Risk  of  inv  estment 
losses 


New  management: 
new  approach 
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Areas  for 
impny\  ement 


processes.  In  our  opinion,  the  improvements  under  way  will  significant!) 
strengthen  the  controls  that  AlMCo  needs  to  manage  its  business. 

Here  are  our  risk  management  findings  from  our  2008  2009  audit  w  ork.  They 
are  presented  as  observations  as  the  new  management  group  is  taking  action  to 
resolve  them.  In  summary: 

•  Enterprise  risk  management — for  most  of  the  year,  there  w  as  no  enterprise 
risk  management  program 

•  Derivative  risk  management — for  most  of  the  year,  there  was  no 
entity-wide  reporting  or  analysis  of  derivative  positions,  and  of  credit  or 
liquidity  risks 

•  Derivative  credit  risk  monitoring — for  most  of  the  year,  reported  on 
monthly,  so  not  available  when  investment  decisions  were  being  made 

•  Corporate  bond  credit  screening — policies  last  updated  six  years  ago,  and 
no  overall  limits 

In  subsequent  audits,  we  will  assess  w  hether  new  or  enhanced  controls  are 
operating  as  designed. 


Risk  a\\  areness  at 
all  levels 


New  monitoring 
tool 


Enterprise  risk  management 

To  manage  risk  effectively,  AIMCo  has  to  incorporate  risk  awareness  and 
management  into  the  processes  used  to  pursue  its  objectives  at  all  levels  of  the 
organization.  Enterprise  risk  management  w  ill  help  AIMCo  to  identify  and 
understand  all  the  risks  it  currently  faces  and  those  on  the  horizon.  Tools  to 
measure  and  monitor  organization-wide  risk  help  to  integrate  the  management 
of  risk,  operations  and  investing. 

AIMCo  has  developed  and  introduced  the  AIMCo  Dashboard — a  tool  to  display 
the  critical  information  needed  to  monitor  its  risks.  The  Dashboard.  \\  ith  the 
major  risks  facing  AIMCo  and  the  specific  strategies  to  mitigate  those  risks, 
will  be  reviewed  regularly  by  the  executive  management  team.  It  was  presented 
to  the  AIMCo  Board  at  their  April  2009  meeting. 


Measure 
derivative  risk 


New  controls 


Derivative  risk  management 

To  limit  the  risk  of  investment  losses.  AIMCo  has  to  have  adequate  systems  to 
measure  derivative  risk  and  to  monitor  and  report  adherence  to  risk  tolerance 
thresholds  entity-wide.  The  derivate  risk  management  program  has  to  be 
integrated  with  overall  risk  management.  Derivative  positions  taken  in  one 
investment  pool  should  not  counteract  or  negate  derivative  positions  taken  in 
other  investment  pools. 

AIMCo  has  established  a  Derivatives  Risk  Management  Committee, 
comprising  senior  management,  to  provide  due  diligence  and  oven  iew  of 
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Monitoring 
exposure  daily 


New  controls 


Analysis  prior  to 
purchase 


New  controls 


Internal  audit 
assesses  control 
environment 


AIMCo's  derivative  and  credit  activity.  New  derivative  risk  management 
policies  have  been  introduced.  Derivative  risk  monitoring  is  a  feature  of  the 
Dashboard. 

Derivative  credit  risk  monitoring 

AIMCo  has  to  have  effective  processes  to  monitor  the  credit  risk  of  its 
derivative  counterparties.  This  means  daily  monitoring  of  counterparty 
exposure  and  credit  limits,  the  daily  preparation  of  aggregate  counterparty 
credit  risk  exposure  and  the  review  of  these  reports  before  authorizing 
additional  investment  purchases. 

AIMCo  is  replacing  its  existing  derivative  indemnity  agreements  with  new 
agreements  that  require  collateral  to  be  posted.  The  Dashboard  now  reports 
AIMCo's  aggregate  counterparty  exposures  every  two  weeks. 

Corporate  bond  credit  screening  process 

AIMCo  has  to  have  effective  credit  screening  processes  for  its  purchases  of 
government  and  corporate  bonds.  Such  processes  include  up-to-date  credit 
analysis  policies  and  procedures,  with  authorization  limits  for  purchases,  and 
the  requirement  for  an  independent  full  credit  analysis  prior  to  purchase. 

AIMCo  management  is  adding  more  staff  to  the  credit  analysis  group  and  will 
be  using  independent  external  research.  The  size  of  individual  investments  in 
any  one  issuer,  is  being  limited  to  a  percentage  of  assets  under  administration  to 
avoid  concentration  of  credit  risk.  This  information  is  reported  on  the 
Dashboard. 

Here  are  the  recommendations  from  our  2008-2009  audit  work. 

3.2  Internal  audit 
Recommendation 

We  recommend  that  AIMCo  re-establish  an  Internal  Audit  group. 
Background 

The  purpose  of  Internal  Audit  is  to  determine  whether  the  governance,  risk 
management  and  internal  control  processes,  as  designed  and  represented  by 
management,  are  adequate  and  functioning  well.  Internal  Audit  provides  an 
independent  and  objective  view  of  an  organization's  risk  management  and 
control  environment  and  helps  management  to  be  accountable  through  its 
reporting  to  the  Audit  Committee. 

In  the  past,  AIMCo's  Internal  Audit  and  Compliance  group  (IACO)  reviewed 
internal  controls  and  compliance  related  to  processing  of  investment 
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transactions.  An  Investment  Compliance  group  continues  to  perform  some 
internal  audit  functions,  including  compliance  testing,  exception  reporting  and 
an  operational  due  diligence  review  of  new  external  managers  for  hedge  fund 
and  Canadian  equity  investments. 

Criteria:  the  standards  we  used  for  our  audit 

AIMCo  should  have  an  internal  audit  group  to  ensure  governance,  risk 
management  and  internal  control  processes,  as  designed  and  represented  by 
management,  are  adequate  and  functioning  well. 

Our  audit  findings 

We  spoke  with  former  members  of  the  IACO.  who  confirmed  thai  no  internal 
control  reviews  were  performed  in  2008-2009.  Due  to  the  discontinuation  of 
IACO  and  preparation  for  internal  control  certification.  AIMCo  does  not  plan  to 
conduct  independent  internal  control  testing  in  the  future. 

Implications  and  risks  if  recommendation  not  implemented 

Without  the  independent  and  objectiv  e  re\  icw  of  AIMCo's  internal  controls 
that  an  internal  audit  group  provides,  investments  and  income  could  be  subject 
to  misappropriation  and  error. 

3.3  Valuation  of  private  equity  and  hedge  fund  investments 
Recommendation  No.  26 

We  recommend  that  AIMCo  establish  a  process  to  estimate  current  market 
values  for  private  and  hedge  fund  investments. 

Background 

Net  income  for  pension  plan  investments  is  calculated  as  the  difference  in 
market  value  between  January  1  and  December  31  each  year.  Valuations  for 
private  investments  and  hedge  funds  are  difficult  to  obtain  and  may  be  based  on 
estimates.  The  most  reliable  form  of  estimate  of  market  value  for  priv  ate  and 
hedge  fund  investments,  are  financial  statements  prepared  by  the  general 
partners  who  manage  these  investments  on  behalf  of  AIMCo. 

AIMCo's  private  investments  include  private  equities,  private  income,  private 
infrastructure  and  timberland  investments.  AIMCo  updates  valuations  for  these 
investments  when  their  general  partners  submit  unaudited  quarterlv  financial 
information,  which  is  generally  three  to  six  months  after  quarter-end.  Unaudited 
financial  statements  for  hedge  fund  investments  are  obtained  monthly  by  the 
custodian,  State  Street,  with  a  one-month  time  lag. 


Internal  audit 
discontinued 
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Criteria:  the  standards  we  used  for  our  audit 

AIMCo  should  have  a  process  to  obtain  the  current  market  value  of  all  private 
and  hedge  fund  investments  at  December  3 1 ,  and  compare  it  to  the  recorded 
market  values  of  these  investments.  If  the  recorded  market  values  are 
significantly  different  from  the  current  market  values,  they  should  be  adjusted. 

Our  audit  findings 

We  found  that  at  December  3 1 ,  2008,  the  valuations  of  most  of  the  private 
equity  investments  were  based  on  September  30,  2008  unaudited  financial 
statements  and  some  were  based  on  June  2008. 

In  February  2009,  the  AIMCo  private  equity  portfolio  managers  contacted 
private  equity  general  partners  by  phone  to  obtain  updated  market  values  at 
December  31,  2008.  This  process  resulted  in  a  late  write-down  of  private  equity 
and  private  income  investments  by  $249  million  and  $50  million  dollars,  or 
16%  and  3.9%  of  these  pools  respectively. 

Hedge  fund  investments  were  valued  using  unaudited  information  from 
November  2008,  supplied  by  the  investment  custodian.  Although  AIMCo  staff 
received  December  2008  valuation  information  for  these  pools  in 
mid-February  2009,  the  recorded  valuations  were  not  adjusted.  The  total 
decrease  in  value  of  these  investments  between  November  2008  and 
December  2008  was  $39  million,  or  2.5%  of  these  pools. 

The  AIMCo  CFO  should  lead  a  process  that  reviews  the  market  value  of  all 
private  and  hedge  fund  investments  at  December  3 1  each  year.  The  current 
market  values  should  be  obtained  from  recent  externally  prepared  financial 
statements,  should  be  compared  to  the  market  values  recorded  in  the  AIMCo 
general  ledger  and,  if  the  general  ledger  market  values  are  significantly 
different,  they  should  be  adjusted. 

Implications  and  risks  if  recommendation  not  implemented 

Net  income  from  pension  plan  investments  could  be  misstated  if  private  and 
hedge  fund  investments  are  not  recorded  at  current  market  values  each  year. 


Private  investment 
values  outdated 


Private  investment 
values  need 
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3.4  Coordination  with  the  Department  of  Finance  and  Enterprise 
Recommendation 

We  recommend  that  AIMCo  work  \\ it li  the  Department  of  Finance  and 
Enterprise  to: 

•  record  all  financial  statement  accounting  adjustments  in  the 
investments  general  ledger  on  a  timely  basis 

•  coordinate  the  timing  of  private  investment  valuations  so  that 
valuation  updates  to  the  investments  general  ledger  are  entered  before 
the  Department  performs  its  quarterly  write-down  analysis 

Background 

Finance  identifies  The  Department  of  Finance  and  Enterprise  (Finance)  uses  information  from  the 

investment  pool  investments  general  ledger  to  prepare  financial  statements  for  the  Alberta 

errors  Heritage  Savings  Trust  Fund  (Heritage  Fund),  other  endowment  funds,  pension 

plans  and  other  entities.  During  this  process,  Finance  identifies  errors  in  the 
completeness,  accuracy  and  valuation  of  the  investment  pools  administered  by 
AIMCo.  These  errors  are  then  corrected  in  the  financial  statements.  Other  errors 
in  the  investment  pools  and  errors  in  the  financial  statements  are  identified 
during  the  audit  process.  At  the  conclusion  of  the  financial  statement 
preparation  and  audit  processes,  the  errors  that  have  been  corrected  in  the 
financial  statements  must  be  recorded  in  the  investments  general  ledger. 

AIMCo  values  publicly  traded  investments  on  a  daily  basis  using  external 
market  data.  Private  investments  are  valued  each  quarter  using  the  most  recent 
financial  statements  provided  by  external  fund  managers.  In  most  cases,  private 
investments  are  valued  using  financial  statement  data  from  the  previous  quarter. 

As  part  of  their  process  for  preparing  quarterly  financial  statements  for  the 
endowment  and  pension  funds,  Finance  reviews  investment  valuations  to  assess 
if  impairment  has  occurred.  If  impairment  has  occurred,  the  investment  cost  is 
written  down  in  accordance  with  Finance's  write-down  policy. 

Criteria:  the  standards  we  used  for  our  audit 

Accounting  errors  that  are  corrected  in  the  audited  financial  statements  of  the 
Heritage  Fund,  other  endowment  funds,  pension  plans  and  other  entities  must 
be  corrected  in  the  investments  general  ledger. 

A  write-down  analysis  should  be  based  on  the  latest  and  best  valuation 
information  available. 
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Errors  not 
corrected  by 
AIMCo 


Our  audit  findings 

While  reviewing  the  financial  statements  of  the  Heritage  Fund's  third  quarter, 
which  ended  December  31,  2008,  we  found  that  adjustments  in  four  equity 
pools  and  the  timberland  investment  pool  had  not  been  recorded  in  the 
investments  general  ledger  for  more  than  a  year.  These  unrecorded  adjustments 
were  the  result  of  incorrect  income  allocation,  accrual  of  derivative  income, 
discontinuance  of  hedge  accounting  and  accumulated  miscellaneous  errors. 


Impairment 
analysis  used 
outdated  values 


Finance  performed  its  March  3 1 ,  2009  impairment  analysis  using  the 
investments  general  ledger  valuations  as  of  April  1,  2009.  Write-downs  were 
taken  on  public  and  private  investments.  However,  AIMCo  didn't  update  its 
private  equity  valuations  until  April  3,  2009.  Consequently,  Finance's 
write-down  analysis  for  private  investments  was  not  based  on  the  most  current 
valuations. 


Implications  and  risks  if  recommendation  not  implemented 

If  accounting  errors  identified  by  the  financial  statements  preparation  and  audit 
processes  are  not  recorded  in  the  investments  general  ledger,  there  is  a  risk  that 
investment  reports  and  returns  as  reported  by  AIMCo  to  client  investors  will  be 
incorrect. 


3.5  AIMCo  financial  statements 
Recommendation 

We  recommend  that  AIMCo  improve  its  processes  and  internal  controls  to 
achieve  completeness,  accuracy  and  increased  efficiency  in  financial 
reporting. 


Background 

Management  is  responsible  for  preparing  financial  statements  and 
accompanying  notes  in  accordance  with  Canadian  generally  accepted 
accounting  principles  and  for  ensuring  effective  internal  controls  over  financial 
reporting. 


New  staff  AIMCo's  financial  statements  for  the  first  full  year  of  operations  were  prepared 

st  uements11^1110^'  new  AIMCo  staff,  who  had  not  been  involved  in  preparing  AIMCo's  first 

financial  statements,  for  the  three  months  ended  March  31,  2008. 


Criteria:  the  standards  we  used  for  our  audit 

Management's  controls  over  financial  reporting  should  enable  the  production  of 
quarterly  and  annual  financial  statements,  including  notes  and  other  financial 
information,  in  accordance  with  Canadian  generally  accepted  accounting 
principles.  This  financial  reporting  should  be  provided  to  AIMCo's  senior 
management  and  the  Board  promptly. 
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AIMCo  needs 
internal  control 
certification 


Our  audit  findings 

The  first  draft  of  AIMCo's  annual  financial  statements,  provided  on 

April  28,  2009,  was  not  complete  and  was  not  supported  by  working  papers. 

We  worked  with  management  and  audited  progressively  improving  financial 
statements  as  they  prepared  supporting  documentation  for  the  amounts  and 
disclosures  in  the  financial  statements. 

With  additional  skilled  staff  in  the  finance  area,  AIMCo  should  be  able  to 
improve  the  effectiveness  of  its  financial  statement  preparation  process  in 
several  ways,  including: 

•  identifying  new  developments  that  may  affect  the  financial  statements  and 
evaluating  the  appropriate  financial  statement  treatment  well  before 
year-end 

•  preparing,  analyzing  and  reviewing  financial  statement  component  working 
papers  that  flow  logically  to  support  management's  conclusion  that 
financial  statement  amounts  and  disclosures  are  complete  and  accurate 

Implications  and  risks  if  recommendation  not  implemented 

Senior  management  and  the  Board  will  not  have  quality  financial  information 
produced  promptly  and  at  a  reasonable  cost. 

3.6  Internal  control  certification — progress  report 
Background 

In  our  2007-2008  Annual  Report  (No.  32— page  282),  we  recommended  that 
AIMCo  introduce  a  process  to  get  the  organization  ready  for  internal  control 
certification  by: 

•  ensuring  that  its  strategic  plan  includes  internal  control  certification 

•  developing  a  top-down,  risk-based  process  for  internal  control  design 

•  selecting  an  appropriate  internal  control  risk  assessment  framework 

•  considering  sub-certification  processes,  with  direct  reports  to  the  Chief 
Executive  Officer  and  Chief  Financial  Officer  (CFO)  providing  formal 
certification  on  their  areas  of  responsibility 

•  ensuring  that  management  compensation  systems  incorporate  the 
requirement  for  good  internal  control 

•  using  a  phased  approach  to  assess  the  design  and  operating  effectiveness  of 
internal  controls 

Management  agreed  with  our  recommendation  and  began  an  internal  control 
certification  project. 
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Management  actions 

AIMCo  has  included  internal  control  certification  in  its  work  program  for 
2009-2010.  The  project  is  in  the  scoping  stage.  The  CFO  has  discussed  the 
process  with  experienced  accounting  firms  and  is  preparing  an  initial  "Systems 
and  Control  Objectives"  document  to  assess  the  current  position.  The  CFO  is 
identifying  the  required  level  of  involvement  by  an  external  Chartered 
Accountant  firm.  The  goal  is  to  obtain  a  Type  2  CICA  Section  5970  Service 
Organization  Report  and  to  have  a  process  in  place  to  maintain  annual 
certification. 

3.7  Information  technology  risk  assessment — progress  report 
Background 

In  our  2007-2008  Annual  Report  to  management,  we  recommended  that 
AIMCo: 

•  regularly  conduct  a  comprehensive  information  technology  (IT)  risk 
assessment  to  identify  and  rank  the  risks  that  can  be  mitigated  with 
well-designed,  efficient  and  effective  IT  controls 

•  use  an  IT  control  framework  to  develop  and  implement  a  set  of 
well-designed  IT  control  processes  to  mitigate  identified  risks  and  to 
provide  efficient,  secure  programs  and  services  to  its  investors 

Management  actions 

AIMCo  has  a  security  risk  management  framework.  However,  it  is  not  used  to 
regularly  identify  and  assess  IT  risks.  According  to  AIMCo's  IT  Control 
Program  and  Strategy,  AIMCo  plans  to: 

•  conduct  IT  risk  and  control  requirements  assessment  (in  progress) 

•  conduct  current  IT  control  gap  evaluation  (planned) 

AIMCo  engaged  outside  help  to  conduct  an  IT  controls  assessment  and  gap 
analysis.  The  consultant  issued  a  report  in  September  2008.  AIMCo  is: 

•  developing  a  project  charter  and  project  plan  for  implementing  a  service 
desk  to  provide  help  desk  services  to  AIMCo 

•  mapping  IT's  current  activities  and  initiatives  to  IT  control  management 
framework  requirements  to  mitigate  gaps  identified  by  the  consultant 

During  our  2009-2010  audit,  we  will  assess  AIMCo's  progress  in 
implementing: 

•  an  IT  governance,  risk  and  compliance  program  and  ensure  the  board  and 
executive  management  provide  adequate  oversight,  strategic  direction, 
ensure  objectives  are  achieved,  ascertain  that  risks  are  managed 
appropriately,  and  verify  that  AIMCo  uses  all  of  its  IT  resources  effectively 
and  responsibly 

•  a  process  to  regularly  assess  IT  risks  and  their  mitigation 


1  menial  control 
certification 
process  has  begun 
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•  an  IT  control  framework  to  implement  well-designed,  efficient  and 
effective  controls  to  mitigate  identified  risks 

•  effective  controls,  through  contracting  or  other  processes,  to  ensure  all 
service  providers — including  Government  of  Alberta  ministries  or 
agencies: 

•     can  properly,  securely  and  consistently  provide  required  services 
before  entering  into  agreements  with  them 
consistently  meet  all  of  AIMCVs  security  and  internal  control 
requirements 

provide  assurance  or  demonstrate  that  their  controls  consistently  meet 
AIMCo's  security  and  service  level  requirements 

3.8  Conflicting  responsibilities  for  internal  audit— implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  284),  we  recommended  that 
AIMCo  resolve  the  conflicting  job  responsibilities  of  its  Chief  Internal  Audit 
and  Compliance  Officer. 

Many  of  the  roles  and  responsibilities  that  were  performed  by  the  Chief  Internal 
Audit  and  Compliance  Officer  are  normally  those  of  a  Chief  Financial  Officer 
(CFO).  The  organizational  structure  of  AIMCo  did  not  include  a  CFO,  although 
it  did  include  the  role  of  a  Chief  Operating  Officer  (COO).  The  Chief  Internal 
Audit  Officer  usually  reports  directly  to  either  the  CEO  or  to  the  Board  of 
Directors,  to  ensure  the  independence  of  this  role.  The  Chief  Compliance 
Officer  usually  reports  to  the  COO. 

External  and  internal  auditor  recommendations  are  usually  dealt  with  by  the 
CFO,  who  works  with  operational  management  to  ensure  that  the 
recommendations  are  implemented.  Internal  audit  is  not  asked  to  implement 
their  own  recommendations,  due  to  the  clear  conflict  of  interest  when  they  are 
asked  to  report  whether  their  own  recommendations  have  been  implemented. 

Our  audit  findings 

Conflicting  We  found  that  the  internal  audit  group  has  been  disbanded  and  that  the  Senior 

Tn  tvued1'1'65  Compliance  Officer  position  has  been  eliminated.  The  internal  control 

certification  process  will  be  administered  by  the  CFO  and  the  Corporate 
Compliance  function  will  be  transitioned  to  the  Chief  Legal  Officer  by 
June  30,  2009. 

The  CFO  has  taken  on  the  role  of  liaison  with  the  external  auditor  and 
coordination  with  management  to  ensure  that  audit  recommendations  and 
operational  requirements  are  met. 
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We  deal  with  the  need  for  an  Internal  Audit  Group  on  page  232. 

3.9  Controls  over  trading  with  approved  counterparties — implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  290),  we  recommended  that 
AIMCo  improve  its  processes  for  setting  up  and  maintaining  approved 
counterparties  in  the  swap  database  system. 

AIMCVs  counterparty  trading  policy  states  that  it  can  engage  in  derivative 
transactions  with  counterparties  that  were  approved  by  the  Derivative  Risk 
Management  Committee  and  that  have  signed  an  International  Swap  and 
Derivative  Association  (ISDA)  agreement.  AIMCo  uses  a  swap  database 
system  in  which  approved  counterparties  are  maintained  on  a  master  file.  When 
investment  traders  wish  to  initiate  a  swap  transaction,  they  begin  by  selecting  an 
approved  counterparty  from  a  drop-down  menu  in  the  swap  database  system. 

Last  year,  we  found  that  one  counterparty  was  included  in  the  counterparty 
trading  list  in  the  swap  database  system,  but  it  had  not  signed  an  ISDA 
agreement  with  AIMCo.  A  second  counteiparty  was  noted  as  being  suspended 
from  trading,  but  was  not  removed  from  the  counterparty  trading  list. 

Our  audit  findings 

We  found  that  both  counterparties  were  removed  from  the  counterparty  trading 
list  in  the  swap  database  system. 

Management  has  improved  reporting  of  approved  counterparties,  including 
information  from  the  credit  rating  analysis. 

3.10  Performance  measurement  review  processes — implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  291),  we  recommended  that 
AIMCo  improve  its  processes  for  management  review  and  approval  of 
investment  performance  information  by: 

•  implementing  a  review  and  approval  process  within  the  performance 
management  group  for  investment  performance  reports 

•  evidencing  the  review  process  by  signing  or  initialling  the  reports 

A  Monthly  Management  Summary  Report  for  performance  reporting  was 
implemented  in  April  2008.  The  Summary  is  signed  by  the  Manager  of 
Investment  Performance  as  well  as  the  analysts  who  worked  on  the  performance 
information  for  that  month.  Before  signing  the  report,  the  Manager  is 
responsible  for  checking  the  backup  information  for  the  listed  changes.  It  is 
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then  filed  in  the  binder  with  all  the  reports,  analyses  and  supporting 
documentation  for  that  performance  month. 

Our  audit  findings 

We  found  that  the  Monthly  Management  Summary  Report  w  as  prepared, 
reviewed  and  all  identified  issues  were  resolved  on  a  timely  basis. 

4.  Alberta  Capital  Finance  Authority 

4.1  Deadlines  to  finalize  financial  statements,  finish  the  audit,  and  schedule 
the  Audit  Committee  meeting — implemented 
Background 

Last  year,  in  our  October  2008  Report  (page  292),  we  recommended  that 
management  and  the  Audit  Committee  of  Alberta  Capital  Finance  Authority 
extend  the  deadlines  for: 

•  finalizing  the  financial  statements 

•  completing  the  financial  statement  audit 

•  scheduling  the  Audit  Committee  meeting  to  approve  the 
December  31.  2008  financial  statements 

Our  audit  findings 

The  deadlines  for  finalizing  the  financial  statements,  timing  of  the  audit  and 
audit  committee  meeting  were  extended  by  one  week. 

5.  Alberta  Securities  Commission 
5.1  Purchase  policy — implemented 

Background 

Last  year,  in  our  October  2008  Report  (page  294)  we  recommended  that  the 
Alberta  Securities  Commission  clarify  its  purchase  policy  to  ensure  compliance 
with  the  Trade,  Investment  and  Labour  Mobility  Agreement  (TILMA). 

The  TILMA  is  an  agreement  struck  between  the  provinces  of  Alberta  and 
British  Columbia  to  reduce  barriers  to  trade,  investment  and  labour  in  both 
provinces.  Last  year,  we  found  contradictions  in  the  purchase  policy  of  the 
Alberta  Securities  Commission  and  certain  provisions  related  to  the  purchase  of 
services  over  $10,000  did  not  meet  TILMA  requirements. 

Our  audit  findings 

Management  has  clarified  its  purchase  policy  and  it  now  adheres  to  TILMA. 
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Financial  statements 

We  issued  unqualified  auditor's  opinions  on  the  financial  statements  of  the  Ministry 
and  the  Department  for  the  year  ended  March  31,  2009. 

We  issued  unqualified  auditor's  opinions  for  the  following  entities  consolidated 
within  the  Ministry: 

For  the  year  ended  March  3 1 ,  2009: 

•  Alberta  Cancer  Prevention  Legacy  Fund 

•  Alberta  Heritage  Foundation  for  Medical  Research  Endowment  Fund 

•  Alberta  Heritage  Savings  Trust  Fund 

•  Alberta  Heritage  Scholarship  Fund 

•  Alberta  Heritage  Science  and  Engineering  Research  Endowment  Fund 

•  Alberta  Investment  Management  Corporation 

•  Alberta  Risk  Management  Fund 

•  Alberta  Securities  Commission 

•  N.A.  Properties  (1994)  Ltd. 

•  Provincial  Judges  and  Masters  in  Chambers  Reserve  Fund 

•  Supplementary  Retirement  Plan  Reserve  Fund 


For  the  year  ended  December  3 1 ,  2008: 

•  Alberta  Capital  Finance  Authority 

•  Alberta  Pensions  Services  Corporation 

•  Alberta  Local  Authorities  Pension  Plan  Corp. 

•  Credit  Union  Deposit  Guarantee  Corporation 

For  the  year  ended  September  30,  2008: 

•  Gainers  Inc. 


In  addition,  we  examined  the  financial  statements,  management  letters,  and  audit 
files  for  the  year  ended  December  31,  2008  for  Alberta  Insurance  Council,  a 
Crown-controlled  corporation  consolidated  with  the  Ministry.  A  public  accounting 
firm  audits  the  Council. 

We  issued  unqualified  auditor's  opinions  for  all  of  the  financial  statement  audits  we 
completed  for  Alberta  Treasury  Branches  (ATB)  and  its  subsidiaries  (ATB 
Investment  Services  Inc.,  ATB  Investment  Management  Inc.,  ATB  Securities  Inc., 
ATB  Insurance  Advisors  Inc.)  for  the  year  ended  March  3 1 ,  2009. 

We  issued  unqualified  review  engagement  reports  on  ATB's  quarterly  financial 
statements. 


Alberta  Treasury 
Branches 
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Entities  not 
consolidated 
w  ithin  the 
Ministry 


A  public  accounting  firm  performed  compliance  audits  of  A  I  B's  three  subsidiaries 
(ATB  Investment  Services  Inc.,  ATB  Investment  Management  Inc..  and  ATB 
Securities  Inc.)  and  reported  directly  to  the  applicable  regulator)  bodies.  W  e 
rc\  iewed  the  results  of  these  audits: 

•  Mutual  Fund  Dealers  Association  of  C  anada's  Financial  Questionnaire  and 
Report  as  at  March  3 1 ,  2009. 

•  Investment  Industry  Regulatory  Organization  of  Canada's  Joint  Regulatory 
Financial  Questionnaire  and  Report  as  at  March  3 1 .  2009. 

•  Compliance  with  applicable  sections  of  National  Instrument  81-102  as  required 
by  the  Alberta  Securities  Commission  for  the  year  ended  March  3 1 .  2009. 

We  also  issued  unqualified  auditor's  opinions  on  the  financial  statements  of  the 
following  entities  that  are  not  consolidated  within  the  Ministry: 

For  the  year  ended  March  3 1 ,  2009: 

•  ARCA  Investments  Inc. 

•  Consolidated  Cash  Investment  Trust  Fund 

•  Provincial  Judges  and  Masters  in  Chambers  (Registered)  Pension  Plan 


Unqualified 
review 

engagement  report 


For  the  year  ended  December  3  1 .  2008: 

•  Local  Authorities  Pension  Plan 

•  Management  Employees  Pension  Plan 

•  Public  Service  Management  (Closed  Membership)  Pension  Plan 

•  Public  Service  Pension  Plan 

•  Special  Forces  Pension  Plan 

•  Supplementary  Retirement  Plan  for  Public  Sen  ice  Manager^ 

Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministr)  's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Summary 

Department  of  Health  and  Wellness 
The  Department  should: 

•  examine  and  clarify  the  role  of  its  Compliance  Assurance  Branch  in  the 
implementation  and  execution  of  infection  prevention  and  control  compliance 
monitoring  in  Alberta — see  page  246 

•  improve  its  control  processes  to  ensure  accountability  for  conditional  grants- 
see  page  252 

The  Department  with  Alberta  Health  Services  (AHS)  and  the  Universities  has 
implemented  our  1998-1999  recommendation  to  improve  accountability  for  and 
governance  of  academic  medicine — see  page  253 

Due  to  changed  circumstances  the  following  recommendations  are  no  longer  valid: 

•  our  2002-2003  recommendation  to  improve  the  process  on  funding  province 
w  ide  services — see  page  255 

•  our  2005-2006  recommendations  to  improve  the  Department's  allocation 
methodology  for  global  funding    see  page  255 

Our  findings  and  recommendations  on  Food  Safety  Follow-up  systems  audit  are 
included  in  a  separate  section  of  this  report    see  page  87 

Alberta  Health  Services 

On  May  15,  2008,  the  Minister  of  Health  and  Wellness  announced  that  on 
April  I,  2009.  the  nine  regional  health  authorities,  two  provincial  boards  (Alberta 
Cancer  Board  and  Alberta  Mental  Health  Board)  and  the  Alberta  Alcohol  and  Drug 
Abuse  Commission  (the  "Authorities")  would  amalgamate  into  one  health 
authority — Alberta  Health  Services  (AHS). 

For  the  year  ended  March  31,  2009.  each  Authority  continued  to  exist  and  to 
produce  its  own  financial  statements.  We  were  appointed  as  the  auditor  for  each  of 
these  Authorities  for  the  year  ended  March  3 1 .  2009. 

We  have  recommended  that  AHS: 

•  improve  controls  for  executive  termination  payments    see  page  256 

•  understand  the  inconsistencies  within  its  existing  supplemental")  retirement 
plans  (SRPs)  and  the  impact  of  any  future  funding  decisions,  administer  them 
consistently  and  have  sufficient  funds  available  to  meet  the  SRP  obligations- 
see  page  260 
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Health's  role 


•  develop  an  information  technology  control  framework  and  improve  its 
information  technology  controls — see  page  262 

•  approve  the  annual  budget  and  financial  plan — see  page  267 

•  improve  the  financial  management  controls  for  capital  projects — see  page  268 

•  improve  the  year-end  financial  reporting  processes — see  page  274 

•  improve  the  efficiency  and  effectiveness  of  the  expense  approval  controls- 
see  page  277 

•  approve  drug  purchases  and  appropriately  segregate  the  duties — see  page  278 

•  implement  appropriate  controls  for  physician  recruitment  incentives- 
sec  page  279 

•  comply  with  its  investment  policy — see  page  280 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    Department  of  Health  and  Wellness 
1.1  Monitoring  infection  prevention  and  control  processes 
1.1.1  Summary 

The  Department  of  Health  and  Wellness  (Health)  is  responsible  for  reviewing 
and  investigating  various  issues  as  part  of  its  role  to  protect  and  promote  public 
health  in  Alberta. 

The  Health  Quality  Council  of  Alberta  (HQCA)  is  an  independent  organization 
legislated  under  the  Regional  Health  Authorities  Act]  to  measure,  monitor  and 
assess  patient  safety  and  the  quality  of  health  services.  The  HQCA  conducts 
reviews  at  the  request  of  the  Minister  and  recommends  improvements.  The 
Minister  has  final  authority  for  deciding  which  of  these  recommendations 
Health  will  implement.  Our  audit  mandate  does  not  extend  to  auditing  or 
judging  such  policy  decisions. 


Ten 

recommendations 


In  July  2007,  the  HQCA  made  recommendations  to  Health  and  other  entities 

reeoinmenuanons  _  r .  „ 

made  to  Health  by  atter  a  review  of  infection  prevention  and  control  (IPC)  processes  in  the  (then) 
IQCA  East  Central  Health  Region.  Health  accepted  10  of  the  recommendations  from 

this  review . 


'  See  Section  1 7  of  the  Regional  Health  Authorities  Act,  R.S.A.  2000,  c.R-10.  HQCA  was  established  under  the  Health 
Quality-  Council  of  Alberta  Regulation  130/2006  on  July  1,  2006. 

"  Review  of  the  Infection  Prevention  and  Control,  and  Central  Sterilization  Issues  in  East  Central  Health  Region,  HQCA 
2007-  Refer  to  http://www.hqca.ca/assets/pdf/HQCA_Full_Report_July_25_2007.pdf 
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What  we  examined 

We  examined  the  processes  at  Health  to  review,  assign  responsibility  and 
monitor  implementation  of  accepted  recommendations  about  IPC  issues 
identified  in  the  HQCA  report,  and  to  take  necessary  follow-up  action. 


Process  to 
implement  in 
place;  monitoring 
and  follow-up  not 
timely 


What  we  found 

Health  developed  a  process  to  implement  the  recommendations  it  accepted 
from  HQCA.  It  assigned  responsibility  for  planning,  timelines,  deliverables 
and  resources  needed  to  carry  out  those  recommendations.  Health  developed 
and  issued  IPC  standards,  required  establishment  of  regional  IPC  committees, 
provided  funds  for  upgrading  facilities  and  developed  education  programs. 
However,  Health  has  been  challenged  to  promptly  monitor  and  follow-up  on 
the  IPC  standards  it  developed. 


Visits  scheduled 
for  East  Central 
Health 


Facility-based  monitoring  of  compliance  to  IPC  standards  is  the  responsibility 
of  Alberta  Health  Services  (AHS).  Health's  Compliance  Assurance  Branch  has 
scheduled  12  facilities  in  the  former  East  Central  Health  Region  for  review 
during  September  2009  to  verify  that  AHS  programs  for  monitoring 
compliance  are  operating  as  intended. 


Acute  care 
facilities  must 
comply  with  IPC 
standards 


Compliance 
Assurance  Branch 
role  in  [PC 


In  this  report,  we  recommend  that  Health  examine  and  clarify  the  Compliance 
Assurance  Branch's  role,  relative  to  AHS  in  implementing  IPC  compliance 
monitoring  in  acute  care3  facilities  across  Alberta.  Albertans  need  confidence 
that  high-risk  facilities  such  as  those  identified  by  HQCA  in  2007  are 
complying  with  IPC  standards. 

In  our  October  2008  Report,4  we  recommended  that  Health  complete  a 
comprehensive  risk  assessment  to  improve  the  effectiveness  of  its  compliance 
monitoring  activities.  The  findings  from  our  current  audit  support  expanding 
that  recommendation  to  include  examining  and  clarifying  the  role  that  Health 
expects  of  its  Compliance  Assurance  Branch,  particularly  with  respect  to  [PC 
matters. 


Why  this  is  important  to  Albertans 

Albertans  need  assurance  of  the  safety  and  quality  of  the  healthcare  system. 
Without  robust  compliance  monitoring  processes  to  support  IPC  initiatives, 
there  is  a  continual  risk  that  unsafe  practices  may  persist. 


3  Hospitals  and  other  types  of  facilities  as  identified  in  the  HQCA  report.  Health's  Compliance  Assurance  Branch  currently 
conducts  some  IPC  related  reviews  in  continuing  care  settings. 

4  Recommendation  No.  35.  page  300  of  the  Report  of  the  Auditor  General  of  Alberta— October  2008 
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1.1.2  Audit  objectives  and  scope 

Our  objective  was  to  determine  if  Health  has  systems  to  effect  and  monitor 
implementation  of  accepted  HQCA  recommendations  from  the  review  of  IPC 
processes  in  the  East  Central  Health  Region.  In  performing  this  audit,  we: 

•  examined  Health  documents  pertaining  to  the  IPC  initiatives,  and 

•  interviewed  management  and  staff. 

We  did  not  examine  the  status  of  HQCA's  recommendations  to  St.  Joseph's 
General  Hospital,  the  East  Central  Health  Region  and  the  Alberta  Catholic 
Health  Corporation. 

1 .1 .3  Our  findings  and  recommendation 
Compliance  monitoring  activities 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  examine  and 
clarity  the  role  of  its  Compliance  Assurance  Branch  in  the  implementation 
and  execution  of  infection  prevention  and  control  compliance  monitoring 
in  Alberta. 


Our  audit 
objective 


Minister  requested 
review  of  IPC 
practices 


Health  then 
conducted 
pro\  incial  IPC 
review- 


Background 

In  March  2007,  the  Minster  of  Health  and  Wellness  asked  the  Health  Quality 
Council  of  Alberta  (HQCA)  to  conduct  a  review  and  make  recommendations 
to  improve  IPC  practices  at  Vegreville  and  throughout  the  East  Central  Health 
Region.  HQCA  issued  its  review  (the  HQCA  Report)  in  July  2007.  Of 
HQCA's  76  recommendations,  10  were  directed  at  Health  and  were  accepted. 
The  remaining  recommendations  were  made  to  St.  Joseph's  General  Hospital, 
the  East  Central  Health  Region  and  the  Alberta  Catholic  Health  Corporation. 

Health  subsequently  conducted  a  province-wide  review  of  IPC  practices, 
policies,  programs  and  systems  at  the  former  regional  health  authorities, 
Alberta  Cancer  Board  and  the  health  professional  regulatory  bodies.5  Health 
issued  the  Provincial  Review  of  Infection  Prevention  and  Control  in 
August  2007.  That  report  identified  five  directions  for  moving  forward — 
clarifying  accountability,  implementing  standards  and  monitoring, 
strengthening  IPC  capacity,  improving  education  and  training,  and  enhancing 
provincial  coordination. 


On  May  15,  2008,  the  Alberta  Health  Services  Board  replaced  the  nine  regional  health  authority  boards,  the  Alberta  Mental 
Health  Board,  Alberta  Alcohol  and  Drug  Abuse  Commission  and  Alberta  Cancer  Board  and  is  now  responsible  for  health 
services  delivery  in  Alberta. 
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Criteria:  the  standards  we  used  for  our  audit 

For  HQCA  recommendations  that  Health  accepted: 

•  responsibilities  for  implementation  of  accepted  recommendations  should 
be  planned  and  assigned,  including  timelines,  deliverables  and  resources 

•  implementation  of  accepted  recommendations  should  be  monitored  and 
follow-up  action  taken  if  necessary 

Our  audit  findings 

We  found  that  Health  assigned  responsibility  for  implementing 
recommendations,  including  responsibility  for  planning,  timelines,  deliverables 
and  resources.  However,  Health  has  been  challenged  to  promptly  monitor  and 
follow-up  on  the  [PC  standards  it  developed. 

Health  is  responsible  for: 

•  setting,  monitoring  and  enforcing  provincial  health  policy 

•  standards  and  programs 

•  managing  capital  planning,  procurement  and  outcome  measures 

Alberta  Health  Services  (AHS)  co-coordinates  the  delivery  of  health  supports 
and  services  across  the  province.7  This  includes  responsibility  for  daily 
facility-based  adherence  to  Health's  IPC  standards. 


IPC  standards 
issued 


In  January  2008,  Health  developed  and  issued  standards  for: 

»     IPC  accountability  and  reporting — requiring  an  IPC"  executive  and 

committee  in  each  health  region — implementation  in  all  former  regions 

was  monitored  by  the  Compliance  Assurance  Branch 

•  cleaning  of  reusable  medical  devices — Health's  target  for  developing  a 
compliance  monitoring  process  is  December  2009 

•  prevention  and  management  of  MRSA'' — Health's  target  for  dev  eloping  a 
compliance  monitoring  process  is  March  2010 

•  single-use  medical  devices — Health's  target  for  developing  a  compliance 
monitoring  process  was  June  2009" 


Health  to  verify 
that  AHS  is 
monitoring 
standards  in 
facilities 


Health  tasked  its  Compliance  Assurance  Branch  to  verify  that  AHS  programs 
for  monitoring  compliance  to  IPC  standards  operate  as  intended.  Currently,  the 
Compliance  Assurance  Branch  monitors  compliance  to  Continuing  Care 
Health  Service  Standards  in  continuing  care  facilities  which  includes 


6  http://www.health.alberta.ca/healtii-services.html 

http://www.albertahealthservices.ca/57.htm 
x  Project  Charter,  Implementation  of  the  Alberta  Infection  Prevention  and  Control  Strategy.  April  1 5.  2009 
g  Methicillin  Resistant  Staphylococcus  Aureus 

10  Provincial  Review  of  Infection  Prevention  and  Control,  prepared  by  Alberta  Health  and  Wellness,  August  2007 
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East  Central 

facilities 

scheduled 


Monitoring 
activities  need  to 
be  coordinated 


compliance  with  IPC  standards.  However,  facility-based  reviews  by  the 
Compliance  Assurance  Branch  of  IPC  monitoring  in  hospitals  or  other  acute 
care  facilities  such  as  those  identified  as  high-risk  by  the  HQCA  Report,  are 
still  developing.  Health  told  us  that  during  2008,  the  Compliance  Assurance 
Branch  conducted  administrative  monitoring  of  the  four  standards — 
Accountability  and  Reporting,  Single  Use  Medical  Devices,  Cleaning  and 
MRSA.  The  Compliance  Assurance  Branch  has  been  testing  audit  tools  for 
over  a  year,  and  has  completed  one  pilot  project  where  three  facilities  were 
reviewed  in  April  2009,  for  compliance  with  IPC  standards. 

The  Compliance  Assurance  Branch  told  us  that  they  have  scheduled  facility 
visits  in  the  former  East  Central  Health  Region  for  September  2009,  to  test 
compliance  with  IPC  standards  and  policies,  and  verify  that  AHS  programs  for 
monitoring  compliance  are  operating  as  intended. 

However,  the  Compliance  Monitoring  Branch  has  not  fully  developed  its  role 
relative  to  AHS  monitoring  activities,  and  has  limited  information  on  AHS 
compliance  monitoring.  Clearly  defined  responsibilities  and  accountabilities  as 
well  as  coordination  of  monitoring  activities  between  Health  and  AHS,  will  be 
critical  to  provide  confidence  that  high-risk  facilities  such  as  those  identified 
by  HQCA  in  2007,  now  comply  with  appropriate  standards. 

The  IPC  strategy 

Following  are  our  general  findings  related  to  Health's  overall  IPC  strategy, 
followed  by  more  specific  findings  related  to  its  strategic  directions.  We  have 
organized  the  report  in  this  manner  to  better  align  our  recommendation  to 
Health's  overall  strategic  direction. 


Strategy  aligns  to 
HQCA 

recommendations 


In  late  2007  and  early  2008,  Health  released  the  Alberta  Infection  Prevention 
and  Control  Strategy,  created  a  project  charter12  and  identified  a  project 
implementation  team.  Health's  IPC  strategy  has  six  strategic  directions: 
provincial  standards  and  monitoring 
leadership  and  accountability 
province-wide  surveillance 
human  resource  requirements 
physical  infrastructure 
public  awareness  and  education 


Responsibilities 
and  timeframes 
assigned 


To  implement  the  IPC  strategy,  Health  formed  the  IPC  Project  Team  which 
consists  of  IPC  specialities  and  senior  health  administrators.  The  team  meets 
regularly,  defines  tasks  for  each  IPC  initiative  and  assigns  team  members 


Project  Charier,  Implementation  of  the  Alberta  Infection  Prevention  and  Control  Strategy,  June  25,  2008 
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responsibility  for  the  completion  of  those  tasks  within  an  established 
timeframe.  Progress  is  monitored  at  each  team  meeting.  The  IPC  Project  Team 
also  has  the  ability  to  draw  on  the  expertise  prov  ided  by  the  Alberta  IPC 
Advisory  Committee  which  consists  of  infectious  disease  specialists,  infection 
control  experts,  laboratory  specialists,  and  representatives  from  Alberta  health 
professional  regulatory  bodies.  Both  the  IPC  Project  Team  and  Alberta  IPC 
Advisory  Committee  form  task  groups  as  needed  to  complete  specific 
initiatives. 


Bill  48  to  provide 
clarification  of 
responsibilities 


Leadership  and  accountability 

Bill  4813  was  developed  to  provide  clarification  that  the  board  of  a  voluntary 
health  organization  is  responsible  for  the  day-to-day  operations  of  an  approv  ed 
hospital,  but  all  operations  must  comply  with  the  terms  of  a  service  agreement 
with  the  regional  health  authority.  The  Act  has  not  been  proclaimed  and  the 
date  of  proclamation  is  uncertain.  A  sen  ice  agreement  template  has  been 
developed  by  Health.  AHS  and  the  v  oluntary  health  organizations  to  guide  the 
specific  agreements  on  the  provision  of  services  by  the  voluntaries  to  AHS  and 
provide  greater  clarity  and  accountability  between  them. 


Consistent 
practices  to  be 
provided 


Province  wide  surveillance 

Health.  AHS  and  IPC  experts  participate  in  an  IPC  surveillance  working  group 
to  provide  consistent  practices  and  to: 

•  determine  priorities  for  which  organisms  and/or  infections  to  monitor. 

•  dev  elop  a  methodology  for  conducting  surv  eillance  of  each  of  these 
organisms  and/or  infections. 

•  achieve  consensus  on  which  healthcare-acquired  infections  and/or 
procedures  should  be  under  surveillance. 

•  develop  ways  to  include  data  across  the  healthcare  spectrum,  and 

•  determine  how  various  parties  can  support  each  other  and  share  resources. 


r.mployee 
education,  training 
and  capacity 


Hitman  resource  requirements 

Health  currently  has  two  IPC  experts  who  support  infection  control 
practitioners  in  the  former  regional  health  regions.  Health  has  also 
commissioned  an  IPC  human  resource  capacity  framework  to  deal  with 
expected  qualifications,  educational  and  training  programs,  and  capacity  for 
IPC  professionals.  Standards  and  policies  are  not  yet  developed.  In  2009, 
Health  provided  $2.5  million  to  AHS  to  support  IPC  education  and  training  for 
sterile  processing  technicians,  infection  control  practitioners  and  health  care 
workers. 


1  Bill  48 — The  Health  Facilities  Accountability  Statutes  Amendment  Act  2007.  The  amendments  were  passed  and  received 
Royal  Assent  on  December  7,  2007. 
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Physical  infrastructure 

Health  provided  $6.8  million  to  upgrade  central  sterilization  rooms  in  seven 
facilities  in  the  former  East  Central  Health  Region.  We  were  told  these 
upgrades  are  to  be  complete  by  fall  2009.  Also,  $16  million  was  provided  to 
health  regions  throughout  the  province  to  upgrade  hand  hygiene  facilities. 

Health  also  commissioned  a  background  paper  on  a  physical  infrastructure 
framework  to  incorporate  IPC  principles,  standards  and  expertise  in  the  design, 
construction,  commissioning,  renovation  and  maintenance  of  health  care 
facilities.  Work  continues  on  the  implementation  of  this  framework. 

Public  education  and  awareness 

In  January  2008,  Health  implemented  its  Alberta  Hand  Hygiene  Strategy; 
dc\  elopment  of  public  education  related  to  other  IPC  practices  is  ongoing. 
Health  also  commissioned  an  IPC  exposure  risk  assessment.  The  report  Health 
re\  iewed  in  January  2009,  provides  a  provincial  framework  to  guide  medical 
officers  of  health  when  assessing  exposure  risk  related  to  IPC  breaches. 

Implications  and  risks  if  recommendation  not  implemented 

Without  effective,  timely  and  robust  compliance  monitoring  processes  to 
support  other  infection  prevention  and  control  initiatives,  there  is  a  continual 
risk  that  unsafe  practices  will  continue  or  develop,  resulting  in  potentially 
severe  public  health  issues  for  Albertans. 

1.2  Accountability  for  conditional  grants— recommendation  repeated 

We  repeat  this  recommendation  because  the  Department  of  Health  and 
Wellness  has  not  made  satisfactory  progress  to  implement  it  in  the  past  year. 

Recommendation — repeated 

We  again  recommend  that  the  Department  of  Health  and  Wellness 
improve  its  control  processes  to  ensure  accountability  for  conditional 
grants. 

Background 

In  our  2001-2002  Annua/  Report  (page  134),  we  recommended  that  the 
Department  improve  its  corporate  control  processes  for  ensuring  accountability 
for  restricted  funding.  In  our  2002-2003  Annual  Report  (No.  22— page  152), 
we  again  recommended  that  the  Department  improve  its  control  processes  for 
conditional  grants. 


East  Central 
facilities  upgraded 


Public  education 
on-going 
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In  2007-2008.  the  Department  had: 

•  issued  financial  directives  to  health  authorities  on  how  to  account  for 
conditional  grants 

•  issued  guidelines  for  reporting  on  unspent  restricted  grants  at  year-end 

•  stated  that  it  would  implement  a  new  grant  tracking  system  which  would 
standardize  and  streamline  the  recording,  tracking  and  monitoring  of  all 
steps  in  creating,  approving  and  managing  departmental  grants 


The  Department 
has  not 

implemented  a 
monitoring 
process  for  grants 


Our  audit  findings 

The  Department  has  not  yet  implemented  a  monitoring  process  to  ensure  that 
program  areas  receive  and  review  reports  on  grants.  The  implementation  of  the 
new  grant  tracking  system  has  been  delayed  to  March  2010.  We  tested  a 
sample  of  16  conditional  grants  and  found  that: 

•  10  grant  recipients  did  not  submit  final  reports  promptly 

•  eight  evaluation  checklists  submitted  were  incomplete — evaluation 
checklists  are  the  Department's  control  to  indicate  that  grant  managers 
have  reviewed  final  reporting  and  hav  e  assessed  if  recipients  had  met  the 
grant  conditions 

To  implement  the  recommendation,  the  Department  must  implement  control 
processes  over  grant  accountability  to  ensure  that  it  receives  and  evaluates 
gi  ant  reports  promptly. 

Implications  and  risks  if  recommendation  not  implemented 

Without  prompt  reporting,  the  Department  cannot  determine  whether: 

•  recipients  use  funds  according  to  the  grant  agreements 

•  unused  funds  remain  available  for  future  funding  decisions 


Annual 

expenditures  on 
academic 
medicine  exceed 
$600  million 


1.3  Improving  accountability  and  transparency  of  academic  medicine — 
implemented 
Background 

Academic  medicine  encompasses  medicine's  roles  in  research,  education, 
administration  and  clinical  service  delivery.  Academic  medicine  is  delivered 
primarily  through  the  cooperation  of  the  University  of  Alberta  and  the 
University  of  Calgary's  Faculties  of  Medicine  and  Alberta  Health  Services 
(AHS).  The  government  prov  ides  funding  for  academic  medicine  through  the 
Departments  of  Health  and  Wellness,  and  Adv  anced  Education  and 
Technology.  Annual  expenditures  on  academic  medicine,  specifically  the  two 
academic  health  centres  in  the  province,  exceed  $600  million. 
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Prior  years' 
recommendations 


Roles  and 

responsibilities 

clarified 


Oversight 
committee 


Business  Plan 
developed 


Statement  of 
operations 


In  our  /  998-1999  Annual  Report  (No.  1 8— page  89  and  No.  1 9— page  9 1 )  we 
recommended  improving  the  accountability  for  and  governance  of  academic 
medicine.  In  1999-2000,  we  repeated  these  recommendations  (No.  39- 
page  238)  and  recommended  that: 

•  those  who  manage  and  fund  academic  health  activities  acknowledge  the 
full  scope  and  magnitude  of  those  activities  and  the  consequences  for  the 
accountability  of  academic  health  centres 

•  the  entity  or  entities  responsible  for  academic  health  and  their  mandates, 
roles  and  accountabilities  be  clearly  defined  and,  on  this  basis,  the 
appropriate  organization  and  governance  structure  be  established 

Our  audit  findings 

The  Departments,  AHS  and  the  Universities  have  implemented  our 
recommendations  by  clarifying  the  roles  and  responsibilities  for  academic 
medicine  and  developing  a  financial  reporting  framework  that  accounts  for  the 
financial  resources  applied  to  delivering  academic  medicine  in  Alberta. 

Over  the  past  several  years,  the  entities  have  taken  the  following  actions  to 
improv  e  their  governance  of  and  accountability  for  academic  medicine: 

•  Established  a  Deputy  Minister/Stakeholder  Committee  (the  Committee) 
for  academic  medicine.  This  joint  Committee  brings  together  senior 
representatives  from  the  Departments,  AHS  and  the  Universities.  The 
Committee  members  have  signed  a  memorandum  of  understanding  to 
identify  provincial  priorities  for  academic  medicine  and  clarify  the  roles 
and  responsibilities  of  the  entities  involved. 

•  The  Committee  drafted  a  Provincial  Academic  Medicine  Business  Plan  for 
2009-2012  with  goals  and  strategies  for  academic  medicine.  The 
Committee  has  also  drafted  a  work  plan  and  meeting  schedule  to  guide  its 
operations  in  the  next  year.  The  Committee  expects  to  finalize  its  business 
and  work  plans  by  September  2009. 

•  Set  up  a  financial  accountability  team  (the  Team)  to  produce  an  annual 
report  for  academic  medicine.  The  annual  report  includes  a  financial 
report  and  identifies  key  outputs  and  results,  financial  risks  and  issues. 

•  The  Team  has  developed  a  proforma  statement  of  operations  for  reporting 
the  revenues  and  expenditures  of  academic  medicine.  The  statement 
summarizes  the  financial  resources  applied  to  the  delivery  of  academic 
medicine  in  Alberta  and  includes  the  funding  provided  to  academic 
medicine  by  the  departments  and  universities,  and  expenses  related  to  the 
activities  of  faculty  and  staff  at  the  University  of  Alberta  and  University  of 
Calgary. 
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1.4  Province-wide  services — changed  circumstances 

In  2007  -2008.  we  followed  up  on  recommendations  from  our  2002  2003 
Annual  Report  (No.  23 — pages  156  and  157)  to  the  Department  to  improve  the 
process  on  funding  province-wide  services.  In  our  October  200S  Report 
(No.  36 — page  303),  we  further  recommended  that  the  Department: 

•  define  the  role  and  responsibilities  of  the  Province-Wide  Sen  ices 
Advisory  Committee 

•  update  and  follow  the  Province-Wide  Services  Funding  Procedures  and 
Definitions  Mam  nil 


AHS  is  now 
responsible  for 
funding 
province-wide 
sen  ices 


With  the  establishment  of  Alberta  Health  Services,  the  Department  no  longer 
funds  province-wide  sen  ices  directly.  Instead,  the  Department  provides 
funding  to  AHS.  which  is  responsible  for  allocating  that  funding  to  all 
services,  including  province-wide  services.  As  a  result,  the  Province-Wide 
Services  Advisory  Committee  is  no  longer  required  and  there  is  no  need  to 
maintain  the  Funding  Procedures  and  Definitions  Manual. 


1.5  Global  funding — changed  circumstances 

In  2005  2006,  we  followed  up  on  recommendations  from  our  1997  1998 
Annual  Report  (No.  27 — page  127)  and  our  1999  2000  Annual  Report 
(No.  21 — page  144).  We  made  nine  recommendations  to  the  Department  in  our 
2005-2006  Annual  Report  (vol.  1 — pages  146  to  161 )  for  the  Department  to 
improve  its  allocation  methodology  for  global  funding. 


Department 
provides 
unrestricted 
funding  to  AHS 


With  the  establishment  of  Alberta  Health  Services,  the  funding  model  used  by 
the  Department  has  changed.  The  Department  no  longer  determines  the 
allocation  of  funding  to  regions  or  key  services  in  the  prov  ince.  In 
2009  2010.  the  Department  prov  ided  AHS  with  a  base  unrestricted  funding  to 
prov  ide  health  service  across  the  province.  This  approach  allows  AHS  to 
allocate  the  funding  with  the  flexibility  to  fulfill  its  mandate.  The  Department 
is  no  longer  responsible  for  the  funding  allocation  to  regions. 


AHS  now 
responsible  for 
funding  allocation 
to  services  and 
programs 


AHS  is  now  responsible  for  determining  allocation  of  the  funding  to  its 
services,  programs  and  regions  based  on  its  priorities.  AHS  shared  its  resource 
allocation  plan  with  the  Department  for  the  Minister's  review. 
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2.    Alberta  Health  Services 
2.1  Executive  termination  payments 
Recommendation  No.  27 

We  recommend  that  Alberta  Health  Services  establish  controls  for 
executive  termination  payments  by: 

•  developing  and  implementing  appropriate  approval  and  oversight 

processes 

•  clearly  defining  termination  and  post-termination  benefits  in 
employment  contracts 

•  including  future  termination  benefits  in  the  salary  and  benefit 
disclosure  in  the  financial  statements. 


Salaries,  benefits 
and  severances 
disclosed 


S23  million  in 
severance  costs 
incurred  for  the 
AHS  transition 


Background 

Annually,  the  nine  regional  health  authorities,  two  provincial  health  boards  and 
the  Alberta  Alcohol  and  Drug  Abuse  Commission  ("the  Authorities,,) 
disclosed  executive  salaries,  cash  benefits  and  non-cash  benefits  earned  in  the 
year  in  their  financial  statements.  The  Authorities  also  disclosed  severance 
payments  and  the  annual  expense  incurred  by  the  Authority  for  an  executive's 
supplementary  retirement  plan  (SRP)  as  well  as  the  estimated  SRP  obligation 
owing  to  the  employee  after  retirement. 

Subsequent  to  the  Minister  of  Health  and  Wellness  announcing  the 
amalgamation  of  the  Authorities,  Alberta  Health  Services  (AHS)  terminated 
the  Chief  Executive  Officers  (CEOs)  and  several  executives  in  the  Authorities. 
As  of  March  3 1 ,  2009,  the  Authorities  had  incurred  $23  million  in  severance 
costs  associated  with  the  transition  to  AHS.  This  included  severance  payments 
for  30  senior  executives,  which  totalled  $18  million.  In  addition  to  the 
severance  payments,  some  senior  executives  received  other  termination 
benefits  such  as  bonuses  for  2008-2009  and  vacation  payouts  as  well  as  either 
lump  sum  payments  or  monthly  payments  for  their  supplementary  retirement 
plans.  The  financial  statements  of  each  Authority  included  the  severance 
payments  and  other  termination  benefits  paid  to  each  executive  and  the  other 
employees. 


AHS  used  external  legal  counsel  to  assist  with  the  negotiation  and 
determination  of  severance  amounts  for  the  terminated  CEOs  and  executives. 
Once  AHS  made  the  decision  to  terminate  the  CEOs  and  executives,  the 
terminated  employee  was  told  to  contact  AHS's  external  legal  counsel  to 
discuss  the  severance  details. 
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Severances 
negotiated  by 
AMS's  external 
legal  counsel 


To  determine  the  severance  amounts  that  the  terminated  executives  were 
entitled  to.  AHS's  external  legal  counsel's  review  included  the  employment 
contracts  and  related  documentation  as  well  as  the  recent  payroll  records  and 
benefit  payments  provided.  Negotiations  between  AHS's  external  legal 
counsel  and  the  terminated  executive,  or  their  legal  representative,  continued 
until  the  amount  of  the  severance  payment  was  agreed  to  by  both  AHS's 
external  legal  counsel  and  the  terminated  executive.  Once  the  severance 
amounts  were  agreed  to  by  both  parties.  AHS's  external  legal  counsel  ad\  ised 
the  Authorities  to  make  the  severance  payments. 


Criteria:  the  standards  we  used  for  our  audit 

AHS  should  have  appropriate  oversight  and  approval  processes  to  ensure  that 
termination  benefits  and  payments  are  appropriate  and  in  accordance  with  the 
employment  contracts.  Employment  contracts  should  have  clearly  denned 
termination  and  post-termination  benefits,  and  key  management  decisions 
regarding  severances  should  be  documented.  Salary  and  benefit  disclosures 
should  be  complete,  accurate,  understandable  and  transparent,  and  should 
include  all  elements  of  compensation. 


Examined 
severanee 
payments  for 
eight  CEOs  and 
1 1  exeeutives 


Our  audit  findings 

We  examined  the  process  used  by  AHS  to  determine  the  executive  severance 
amounts,  approve  and  pay  them.  We  also  examined  a  sample  of  severance 
payments,  including  those  of  all  eight  terminated  CEOs  and  1  1  other 
executives.  Our  findimis  are  as  follow  s: 


No  severanee 
policies,  defined 
processes  or 
documentation 


AHS  severance  process  and  oversight 

There  was  a  lack  of  oversight  by  AHS  management  and  its  Board  in  the  entire 
severance  process.  AHS  did  not  have  a  clearly  defined  process,  including  roles 
and  responsibilities  for  negotiating,  reviewing,  approv  ing  and  pay  ing  the 
severances.  Nor  did  AHS  have  any  severance  policies.  When  we  examined  the 
severance  amounts  paid,  we  found  that  AHS  had  no  documentation  to  support 
the  severance  payment  calculations.  All  of  the  documentation  w  as  maintained 
and  resided  with  AHS's  external  legal  counsel.  While  AHS's  external  legal 
counsel  had  a  clear  understanding  of  the  severance  amounts,  w  hat  the) 
included  and  how  they  were  calculated,  AHS  did  not. 


Several  severanee 
payments  were 
not  approved 


AHS  management  advised  us  that  they  were  involved  in  certain  decisions 
related  to  the  severance  payments.  We  found  documentation  thai  thev  were 
involved  in  some  decisions,  but  not  all.  We  only  found  documentation 
evidencing  approv  al  from  AHS  for  four  of  the  19  severance  payments  we 
examined.  The  AHS  Board  was  provided  information  on  the  CEO  severance 
payments  in  July  2008  and  August  2008,  but  they  did  not  approve  the 
payments. 
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Severance 
overpayments 
totalled  $41,000 


The  lack  of  a  clearly  defined  severance  process  with  appropriate  reviews, 
approvals  and  oversight  by  AHS  resulted  in  three  overpaid  severances, 
totalling  approximately  $41,000.  These  overpayments  resulted  from 
mathematical  errors  and  the  use  of  the  wrong  employment  contract  to 
determine  the  termination  benefits.  AHS  is  currently  determining  whether  it 
can  recover  these  overpayments. 


Although  AHS  hired  external  legal  counsel  to  assist  them  with  the  severance 
process  and  negotiations,  the  payments  should  have  been  reviewed  and 
approved  by  AHS  before  they  were  made. 


Termination 
benefits  varied 
significantly 


Termination 
benefits  not  clear 
in  employment 
contracts 


Termination 
benefits  included 
SRP  payments 


Termination  and  post-termination  benefits  and  documentation 

The  termination  benefits  included  in  the  executive  employment  contracts 
varied  significantly,  since  the  employment  contracts  were  negotiated  by  each 
of  the  Authority's  previous  boards  and  senior  executives.  For  all  of  the 
severance  payments  we  examined,  the  severance  was  calculated  based  on  the 
salary  and  benefits  at  the  time  of  termination,  multiplied  by  a  specified  number 
of  months  as  defined  in  the  employment  contract's  termination  notice  period. 
The  severance  payments  varied  primarily  due  to  the  following: 

•  The  base  salaries  used  in  the  severance  calculation  varied.  For  the  CEOs, 
the  annual  salaries  used  ranged  from  $240,931  to  $541,787.  For  the  other 
executives  we  examined,  the  annual  salaries  ranged  from  $197,669  to 
$515,000. 

•  For  the  CEOs,  the  months  used  in  the  notice  period  ranged  from  18  to 
33  months,  while  notice  periods  for  other  executives  ranged  from  six  to 
24  months. 

•  Outplacement  costs  and  legal  costs  were  paid  for  some  executives. 

In  several  employment  contracts,  the  termination  and  post-termination  benefits 
were  not  clearly  defined.  Therefore,  we  cannot  conclude  with  certainty  if  the 
severance  amounts  were  in  accordance  with  the  employment  contracts. 
Examples  of  unclear  terms  include  the  following. 

Supplementary  retirement  plan  benefits 

Many  CEOs  and  executives  were  enrolled  in  supplementary  retirement  plans 
(SRPs).  Only  three  of  the  employment  contracts  we  examined  defined  the  SRP 
as  a  termination  benefit.  None  of  the  employment  contracts  defined  how  the 
SRP  benefit  would  be  calculated  for  purposes  of  determining  the  termination 
benefit.  We  were  advised  by  AHS's  external  legal  counsel  that  AHS  made  the 
decision  to  calculate  the  SRP  termination  benefit  based  on  the  previous  years' 
SRP  expense  multiplied  by  the  termination  notice  period.  But,  we  were  unable 
to  find  documentation  evidencing  this  decision  or  why  it  was  made.  Six  CEOs 
and  three  executives  examined,  received  SRP  termination  benefits  totalling 
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$955,000.  The  payments  ranged  from  $22,000  to  $297,500.  One  terminated 
CEO  will  also  remain  in  the  SRP  until  March  3 1 .  201  1 .  and  w  ill  continue  to 
accumulate  pensionable  service.  The  estimated  \alue  of  this  benefit  is 
approximate!)  $290,000. 


Bonuses  paid  to 

terminated 

executives 


Bonus  payments 

Several  employment  contracts  included  entitlement  to  a  bonus  based  on 
performance  criteria.  For  the  severance  payments  we  examined.  AHS  paid 
bonuses  to  four  CEOs  and  three  other  executives.  The  bonus  was  paid  for  their 
period  of  employment  in  the  2008-2009  fiscal  year,  prior  to  AHS  terminating 
them.  For  one  of  the  executives,  the  bonus  was  also  paid  for  the  three  months 
following  their  termination  date.  The  bonuses  were  based  on  historical  bonus 
percentages  and  were  not  based  on  performance  criteria.  We  were  adv  ised  by 
AHS's  external  legal  counsel  that  AHS  made  the  decision  to  pay  out  these 
bonuses  based  on  historical  percentages,  but  we  were  unable  to  find 
documentation  evidencing  this  decision  or  why  it  was  made.  The  bonus 
payments  for  the  CEOs  and  executives  examined  totalled  $359,100.  The 
payments  ranged  from  $9,800  to  $87,346. 


Examples  of  other 
termination 
benefits  not 
clearly  defined 


Other  termination  benefits 

The  following  termination  benefits  were  included  in  the  severance  amount,  but 
were  not  clearly  defined  in  the  employment  contracts: 

•  A  CEO  received  a  health  spending  benefit  totalling  $16,290  ($8,500  per 
year  multiplied  by  a  23-month  termination  notice  period). 

•  A  CEO  received  approximately  $39,000  for  incremental  costs  associated 
with  replacement  life  insurance,  medical  and  dental  coverage  as  well  as 
lost  pension  plan  benefits. 


Retention  bonuses 
paid  to  terminated 
executive 


Retention  bonuses 

On  April  I,  2008,  the  (then)  CEO  of  Capital  Health  announced  retention 
bonuses  totalling  $300,000  to  1 5  executives  ($20,000  each)  for  their  continued 
employment  until  March  31,  2009.  The  CEO  and  Vice  President  of  Human 
Resources  of  Capital  Health  approved  these  retention  bonuses  for  payment  on 
May  27,  2008.  subsequent  to  the  Minister's  decision  to  amalgamate  the 
Authorities.  Documentation  stated  that  if  the  executives  left  Capital  Health 
prior  to  March  31,  2009,  the  retention  bonuses  would  be  recovered  on  a 
pro-rated  basis.  Eight  of  the  15  executives  were  terminated  subsequent  to 
receiving  the  retention  payments.  But  none  of  the  payments  were  recovered. 
Capital  Health's  human  resource  department  advised  us  that  the  retention 
payment  would  have  only  been  recovered  if  the  employee  had  voluntarily  quit. 
But  this  was  not  clear  in  the  documentation. 
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Salary  and  benefit  disclosure 

Because  AHS  did  not  have  an  ongoing  process  to  review  and  examine  the 
severance  payments  arising  from  the  transition,  extensive  work  was  needed 
after  year-end  to  obtain  the  information  from  AHS's  external  legal  counsel  to 
prepare  the  final  salary  and  benefit  disclosures  in  the  Authorities'  financial 
statements. 

The  final  financial  statements  fully  disclose  the  termination  benefits  paid  to  the 
terminated  executives.  However,  the  financial  statement  disclosure  does  not 
include  any  information  on  entitlements  or  the  estimated  value  of  these 
entitlements  should  the  existing  executives  be  terminated  with  or  without 
cause.  Current  private  sector  best  practices  suggest  that  the  organizations 
disclose  and  quantify  where  appropriate: 

•  the  circumstances  that  could  trigger  termination  benefits 

•  the  estimated  termination  benefits  that  would  be  provided  in  each  case 

•  any  significant  conditions  to  receiving  payments  or  benefits 

Implications  and  risks  if  recommendation  not  implemented 

Without  adequately  documented  employment  contracts,  appropriate  oversight, 
control  processes  and  disclosure,  AHS  will  not  be  aware  of  its  executive 
termination  costs  and  contractual  obligations.  The  risk  of  overpayment, 
financial  losses  and  corporate  reputation  damage  to  AHS  will  be  increased. 

2.2  Supplementary  retirement  plans 
Recommendation  No.  28 

We  recommend  that  Alberta  Health  Services  review  existing 
supplementary  retirement  plans  and: 

•  understand  the  terms  and  conditions  for  each  plan 

•  develop  clear  and  consistent  policies  and  processes  for  administering 
them 

•  obtain  actuarial  valuations,  using  appropriate  and  consistent 
assumptions,  for  the  plans 

•  understand  the  impact  of  funding  options 

•  ensure  sufficient  funds  are  av  ailable  to  meet  plan  obligations 

Background 

The  Income  Tax  ActH  limits  the  amount  of  income  that  can  be  considered 
pensionable  under  a  registered  pension  plan.  In  1992,  the  federal  government 
required  governments  to  apply  the  pensionable  income  limits  defined  in  the 
Income  Tax  Act  to  public  service  pension  plans.  Supplementary  retirement 


Termination 
benefits  for 
existing  executive 
not  disclosed 


Income  Tax  Act 
defines  the 
pensionable 
income  limits 


R.S.C.  1985,  c.l  (5,hsupp) 
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plans  (SRPs)  were  developed  and  implemented  to  provide  retirement  pension 
for  income  earned  in  excess  of  the  limits  identified  in  the  Income  Tax  Act. 


Eleven  different 
SRPs  in  the 
Authorities 


The  nine  regional  health  authorities,  two  provincial  health  hoards  and  Alberta 
Alcohol  and  Drug  Abuse  C  ommission  ("the  Authorities")  participated  in  the 
public  service  pension  plans.  In  addition  to  the  public  service  pension  plans, 
there  are  also  1  I  different  SRPs  w  ithin  the  Authorities.  These  plans  were 
established  by  previous  regional  boards  between  2001  and  2007. 


AHS  is  now  responsible  for  the  SRPs  the  former  Authorities  negotiated. 
Therefore.  AHS  needs  to  hav  e  a  clear  understanding  of  each  plan  to  determine 
its  approach  to  managing  them  in  the  future.  AHS  w  ill  also  need  this 
information  to  assess  the  plans*  impact  on  executive  compensation  programs 
and  future  financial  obligations. 

Criteria:  the  standards  we  used  for  our  audit 

There  should  be  clear  and  consistent  policies  for  administering  SRPs.  A I  IS 
should  hav  e  a  clear  understanding  of  the  inconsistencies  within  their  existing 
SRPs  and  impact  of  any  future  SRP  decisions. 


Terms  and 
conditions  of  the 
SRPs  are 
inconsistent 


Our  audit  findings 

The  terms  and  conditions  of  the  SRPs  are  identified  in  the  SRP  agreements. 
All  but  one  Authority  has  a  SRP  agreement.  The  terms  and  conditions  for 
the  SRPs  are  not  consistent  with  one  another,  except  they  arc  all 
non-contributory.  For  example: 

•  Participants — In  the  majority  of  plans,  the  participants  are  limited  to  only 
a  few  senior  executives.  I  lovvever,  one  Authority  has  over  40  participants. 

•  Retirement  benefits — Some  plans  base  the  pension  on  1 .75%  of  the 
highest  average  five  consecutive  years  of  earnings:  other  plans  base  it  on 
2%.  In  most  plans,  retirement  benefits  are  provided  monthly  for  a 
recipient's  lifetime.  However,  in  one  plan  the  monthly  retirement  benefits 
are  provided  for  only  10  years. 

•  Eligible  earnings — In  some  plans,  eligible  earnings  include  bonuses;  other 
plans  cap  bonuses  at  20%  and  in  one  plan  bonuses  are  not  considered 
eligible  earnings. 


Purpose  of  SRP  is 
not  clear 


The  purpose  of  the  SRPs  has  not  been  clearly  defined.  In  some  instances  it 
appears  that  they  were  used  to  restore  pension  benefits  to  what  thev  would 
have  been  if  the  Income  Tax  Act  limits  did  not  apply.  However,  in  other  plans, 
it  appears  that  they  were  used  to  attract  or  retain  employees.  For  example,  the 
CEO  of  the  Calgary  Health  Region  w  ho  was  terminated  in  July  2008,  had 
28.6  years  of  SRP  pensionable  sen  ice,  although  he  had  only  been  with  the 
Authority  for  8.8  years.  The  CEO's  contract  included  these  additional 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


Financial  Statement  and  Other  Assurance  Audits 


Health  and  Wellness 


AHS's  unfunded 
SRP  obligation  is 
$20  million 


Inconsistent 
assumptions  used 


Health  provided 
grant  to  fund  the 
unfunded  SRPs 


entitlements.  Also,  several  executives  in  the  Authorities  were  granted 
additional  years  of  pensionable  service. 

At  March  31,  2009,  AHS's  total  obligation  for  the  SRPs  was  $28  million.  Four 
of  the  1 1  plans  are  not  funded,  meaning  that  there  are  no  designated  assets  set 
aside  to  fund  the  obligations.  The  total  accrued  unfunded  obligation  at 
Match  3 1 ,  2009  for  these  four  plans  was  $20  million.  The  total  obligation  for 
the  plans  is,  in  part,  based  on  the  assumptions  used,  including  discount  rates 
and  salary  increases.  The  assumptions  used  to  determine  each  Authority's 
accrued  obligation  varied  at  March  31,  2009.  For  example,  the  discount  rates 
ranged  from  6.2%  to  8.8%  and  salary  increases  ranged  from  4%  to  5%.  There 
were  no  explanations  to  support  these  differences.  Given  the  current  economic 
situation  and  the  unfunded  status  of  a  number  of  the  plans,  we  would  expect 
that  a  more  conservative  discount  rate  of  no  more  than  6.2%  would  have  been 
used  to  determine  the  obligation  of  the  plans.  Similar  government  pension 
plans  use  discount  rates  closer  to  5%. 

Alberta  Health  and  Wellness  (Health)  has  provided  a  grant  to  AHS  to  fund  its 
unfunded  SRPs.  AHS  has  not  made  any  decisions  on  how  it  proposes  to  fund 
these  plans.  AHS  will  need  to  assess  the  funding  options  and  implications  and 
set  aside  sufficient  funding  to  meet  its  obligations. 

Implications  and  risks  if  recommendation  not  implemented 

If  AHS  management  does  not  understand  the  terms,  conditions  and  purpose  of 
the  SRPs,  they  will  not  understand  the  impact  of  future  decisions.  Without 
consistent  plans,  policies  and  procedures,  there  will  be  inconsistent  SRP 
benefits  and  inequitable  compensation  within  AHS. 

2.3  Information  technology  control  policies  and  processes 
Recommendation  No.  29 
We  recommend  that  Alberta  Health  Services: 

•  develop  an  information  technology  control  framework,  including 
appropriate  risk  management  processes  and  controls,  for  the 
management  of  its  information  technology  resources 

•  monitor  compliance  with  security  policies,  implementing  effective 
change  management  processes  and  improving  passwords  controls 
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IT  control 
framew  ork  is 
essential  to 
mitigate  risks 


IT  control 
framework  is  the 
foundation  for 
control  systems 
and  processes 


COBIT  isa 
recognized 
international 
standard 


Background 

Well-designed  and  effective  information  technology  (IT)  control  processes  arc 
the  best  way  to  preserve  the  security  and  integrity  of  an  organization's 
information  and  systems.  A  comprehensive  IT  control  framework  should  be  a 
critical  part  of  every  organization's  internal  control  program  to  mitigate  risks 
and: 

•  provide  secure  sen  ices  to  patients  and  staff 

•  protect  the  confidentiality  and  security  of  information 

•  ensure  that  systems  are  available  w  hen  needed 

An  IT  control  framework  should  drive  the  IT  control  processes  and  specific 
activities  designed  to  achieve  identified  control  and  business  objectives,  and  to 
mitigate  identified  risks.  Management  should  monitor  and  measure  the 
effectiveness  of  the  IT  control  framework  to  ensure  that  IT  controls  operate  as 
designed  and  provide  efficient  and  secure  services  to  all  patients  and  staff. 

An  IT  control  framework  such  as  COBIT  (Control  Objectives  for  Information 
and  related  Technology)  is  a  key  element  in  developing  and  ensuring  that  there 
are  proper  controls  over  an  organization's  information  and  the  systems  and 
processes  that  create,  store,  manipulate  and  retrieve  important  data.  COBIT  is 
an  industry-recognized  best  practice  IT  control  framework  dev  eloped  and 
maintained  by  the  Information  Technology  Governance  Institute. 


We  evaluated 
general  computer 
controls  at  the 
Authorities 


Our  framework  for  testing  computer  controls  is  based  on  a  subset  of  C(  )BIT. 
We  evaluated  the  general  computer  controls  at  each  of  the  nine  regional  health 
authorities,  two  provincial  health  boards  and  Alberta  Alcohol  and  Drug  Abuse 
Commission  (the  "Authorities").  For  each  Authority,  we  evaluated  33  general 
computer  control  activities  related  to  its: 
risk  management 

application,  operating  system,  network  and  physical  security 
logical  access  to  programs  and  data 
program  change  management 
backup  and  restoration 


Criteria:  the  standards  we  used  for  our  audit 

To  properly  mitigate  significant  risks,  AHS  should  use  an  IT  control 
framework  to  develop  and  implement  well-designed,  efficient  and  effective  IT 
controls. 
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Ineffective  IT 
controls  at  each 
Authority 


No  Authority  had 
an  IT  control 
framework 


Comprehensive  IT 
risk  assessment 
not  done 


Our  audit  findings 

We  found  a  number  of  weaknesses  in  the  IT  controls  at  each  of  the  Authorities, 
including  ineffective  security  controls.  These  weaknesses  result  from  poorly 
designed  control  frameworks  and  the  lack  of  adequate  risk  assessments. 

IT  control  framework 

None  of  the  Authorities  used  an  IT  control  framework  to  guide  the 
development  of  a  strong  IT  control  environment.  Nor  were  they  able  to 
demonstrate  that  they  had  a  comprehensive  risk  management  process  to 
identify  all  potential  risks.  Specifically,  none  of  the  Authorities  had: 

•  an  IT  control  framework  to  ensure  that  IT  control  activities  were 
well-designed  to  efficiently  and  effectively  mitigate  significant  risks 

•  an  organizational  IT  risk  assessment  strategy  to  help  them  identify  or 
mitigate  all  risks  to  confidential  patient  and  financial  information 

•  a  process  to  ensure  that  IT  controls  were  regularly  reviewed  and 
consistently  followed 

•  a  process  to  identify  risks  that  could  not  be  efficiently  and  effectively 
mitigated  by  IT  controls  and  to  either  reduce  or  accept  that  risk 

Some  Authorities  performed  risk  assessments  as  part  of  their  change 
management  process  or  the  implementation  of  new  IT  projects,  but  these  were 
completed  in  isolation  and  only  considered  the  impact  of  the  specific  change  or 
project.  The  Authorities  had  not  performed  an  IT  risk  assessment  that 
considered  all  risks  to  the  IT  environment;  nor  had  they  related  IT  risks  back  to 
business  risks. 


IT  security  controls 

weaknessLTi^1         We  als°  f°Und  3  number  of  common  security  control  weaknesses  with 

monitoring  security  policies,  implementing  effective  change  management 
procedures  and  enforcing  strong  password  controls.  In  Capital  Health,  Calgary 
Health  Region,  Aspen  Health  Region  and  AADAC,  either  the  previous 
auditors  or  we  had  made  recommendations  on  IT  security  controls  in  prior 
years.  These  Authorities  were  in  the  process  of  implementing  the  outstanding 
recommendations;  therefore,  we  have  not  repeated  these  issues  below. 
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Below  is  a  summary  of  specific  IT  weakness  we  identified: 
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-  relates  to  monitoring  compliance  with  security  policies 
PY  -  prior  year  recommendation 
*  -  current  year  weakness 


Monitor  compliance  with  security  policies 
Insufficient  IT  Most  Authorities  did  not  have  adequate  processes  to  monitor  compliance  with 

their  security  policies.  Specifically  we  found: 
monitoring  J  r  r 

•  Six  Authorities  were  not  promptly  removing  user  access  from  the  network 
or  an  application  after  the  user  was  terminated.  In  three  Authorities,  access 
was  not  removed  until  six  months  after  the  termination. 

•  Five  Authorities  were  not  adequately  reviewing  who  had  access  to 
financial  applications  to  determine  if  the  access  was  appropriate  or 
required. 

•  Six  Authorities  were  not  monitoring  security  logs  to  detect  potential 
security  breaches  in  their  IT  environment. 

•  Six  Authorities  were  not  adequately  monitoring  their  network  to  determine 
if  unauthorized  devices  were  connecting  to  the  network,  including 

w  ireless  devices. 

•  Three  Authorities  were  not  adequately  monitoring  access  to  the  server 
room. 

•  One  Authority  did  not  have  adequate  antiv  irus  processes. 
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Change  management 

All  seven  Rural  Regional  Health  Authorities  (RRHAs)  used  Meditech,  an 
integrated  health  information  system  that  includes  clinical  and  administration 
modules.  The  Regional  Shared  Health  Information  Program  (RSHIP)  was 
responsible  for  maintaining  the  Meditech  shared  data  warehouse  and 
performing  specific  IT  functions. 

In  discussions  with  RSHIP  and  the  RRHAs,  we  found  that  there  was  not  a 
clear  understanding  of  the  change  management  testing  responsibilities  between 
RSHIP  and  the  RRHAs.  The  RRHAs  assumed  that  RSHIP  was  responsible  for 
testing  changes  and  that  testing  on  their  part  was  optional.  As  well,  test  plans 
were  not  completed  or  followed  by  the  RRHAs.  We  tested  two  Meditech 
changes  and  were  unable  to  find  documentation  evidencing  that  any  of  the 
RRHAs  had  tested  it. 

Password  controls 

While  a  valid  username  and  password  combination  is  required  to  access 
Meditech,  and  users  must  change  their  passwords  every  96  days,  the  following 
control  w  eaknesses  exist: 

•  there  are  no  restrictions  preventing  the  use  of  dictionary  words  as 
passwords 

•  Meditech  password  settings  have  a  minimum  length  of  eight  characters, 
but  there  is  no  requirement  to  use  a  combination  of  upper  and  lower  case 
letters,  numbers  and  non-alphanumeric  characters 

•  error  reports  identifying  failed  login  attempts  are  not  reviewed 

The  weak  Meditech  password  controls  impacted  six  Authorities. 

Three  Authorities  also  had  weak  password  controls  for  either  their  network  or 
other  financial  applications. 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  well-designed  process  to  identify  risks  to  their  computing 

env  ironment,  AHS  cannot  be  aware  of  all  risks  to  their  information  systems 

and  data.  Nor  do  they  have  effective  IT  controls  to  mitigate  the  risks. 

Inadequate  and  ineffective  IT  control  processes  and  activities  can  lead  to: 

•  confidential  patient  data  being  lost,  improperly  accessed,  misused  or 
disclosed 

•  systems  and  applications  being  hacked  or  abused  by  malicious  users 

•  implementation  of  systems  or  applications  that  do  not  work  as  expected  or 
do  not  provide  the  expected  benefits 


Responsibility  for 
change 
management 
testing  is  not  clear 


W  eak  password 
controls  exist 
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Each  Authority 
was  required  to 
prepare  a  business 
plan 


S9.9  billion  in 
health  care 
expenses 


2.4  Budget  approval 

Recommendation  No.  30 

W  e  recommend  thai  Alberta  Health  Services  prepare  an  annual  business 
and  financial  plan  and  that  this  plan  be  approved  In  its  Hoard. 

Background 

Business  plans  are  used  to  communicate  an  organization's  strategies,  goals  and 
direction  as  well  as  the  budgeted  resources  required  to  achieve  the  plan. 
Business  plans  are  fundamental  in  ensuring  that  everyone  in  the  organization 
understands  where  the  organization  is  going  and  the  resources  they  have 
available  to  implement  the  plan.  Business  plans  form  an  agreement  between 
the  stakeholders  and  management  and  are  used  to  measure  and  monitor 
progress  as  well  as  provide  accountability  mechanisms. 

Authorities  prepared  business  plans  on  an  annual  basis.  The  business  plan 
included  the  Authority's  strategic  priorities,  measures  and  targets  to  assess 
performance,  as  well  as  its  financial  plan  for  the  year.  Each  Authority  was 
required  to  submit  its  business  plan  to  the  Ministry  of  Health  and  Wellness. 

Combined,  the  Alberta  Health  Services  (AHS)  Board  was  responsible  for  the 
oversight  of  over  $9.9  billion  in  health  care  expenditures  for  fiscal  2008  2009. 

Criteria:  the  standards  we  used  for  our  audit 

Business  plans  should  be  prepared  and  approved  by  the  AHS  Board  and  should 
be  communicated  to  all  stakeholders,  including  the  public. 


The  Authorities 
2008-2009 
budgeted 
operating  deficit 
was  S392  million 


Our  audit  findings 

In  2008-2009,  management  of  each  of  the  Authorities  prepared  the  required 
business  plan  and  financial  plans,  but  these  plans  were  not  approved  by  anyone 
other  than  that  Authority's  own  management.  The  combined  budgeted 
accumulated  deficit  reported  in  the  Authorities'  business  plans  was 
$887  million,  with  a  budgeted  operating  deficit  of  $392  million. 


Business  plans 
were  not  approved 
by  the  AHS  Board 
or  the  Minister 


Most  regional  health  boards  had  not  approved  the  Authorities'  2008  2009 
business  plans  before  the  boards  were  removed.  The  AHS  Board  monitored  the 
quarterly  financial  results  of  each  of  the  Authorities  in  2008  2009,  including 
the  budgets  from  their  financial  plans,  actual  and  forecasted  financial  results: 
however,  none  of  the  Authorities'  business  plans,  including  the  financial  plan, 
was  approved  by  the  AHS  Board.  A  consolidated  AHS  business  plan  or  budget 
was  not  prepared  for  2008-2009. 
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systems  are 
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The  Authorities1  business  plans  were  provided  to  the  Ministry  of  Health  and 
Wellness.  But  the  Minister  of  Health  and  Wellness  is  not  required  to  approve 
the  business  plans  and,  therefore,  did  not  approve  them. 

Implications  and  risks  if  recommendation  not  implemented 

Without  an  agreed  to  business  and  financial  plan,  AHS  management  and  its 
Board  may  not  understand  the  goals  and  direction  of  AHS  or  the  resources 
they  have  available  to  provide  health  services  or  achieve  their  objectives.  This 
situation  creates  uncertainty  and  a  lack  of  financial  accountability. 

2.5  Financial  management  systems  for  capital  projects 
2.5.1  Summary 

Our  audit  objective  was  to  assess  if  Alberta  Health  Services  (AHS)  has 
effective  and  efficient  financial  management  systems  to  approve,  monitor  and 
report  on  capital  projects. 

We  audited  the  systems  in  the  following  Authorities: 

•  Calgary  Health  Region 

•  Capital  Health 

•  East  Central  Health 

•  Peace  Country  Health 

At  each  Authority,  we  obtained  an  understanding  of  the  financial  management 
systems  and  examined  three  or  four  capital  projects  to  test  the  operating 
effectiveness  of  the  systems. 

AHS  does  not  have  effective  and  efficient  financial  management  systems  to 
approve,  monitor  and  report  on  capital  projects.  Authorities  use  a  variety  of 
capital  project  management  systems.  They  have  policies  and  processes  to 
review  and  approve  capital  project  expenses,  and  to  handle  cost  variances, 
including  change  orders.  These  capital  project  management  systems  track  key 
financial  information  such  as  project  budgets,  commitments,  actual 
expenditures  and  forecasts,  but  some  systems  do  not  track  all  of  this 
information.  Some  of  these  project  management  systems  integrate  with  their 
financial  systems;  others  do  not. 

We  made  two  recommendations  to  AHS  to  improve  their  capital  project 
financial  management  systems: 

•  Obtain  approval  from  the  Minister  of  Health  and  Wellness  for  capital 
projects,  secure  adequate  funding  for  the  capital  project  before  it  starts  and 
include  the  estimated  future  operating  costs  in  its  budget. 

•  Implement  common  policies,  processes  and  systems  and  improve  the 
reporting  to  the  AHS  Executive  and  Audit  and  Finance  Committee. 
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2.5.2  Capital  project  funding  and  approval 

Recommendation  No.  31 

\\  e  recommend  that  Alberta  Health  Services: 

•  obtain  appropriate  approval  from  the  Minister  of  Health  and 
Wellness  and  secure  adequate  capital  funding  before  starting  capital 
projects  that  are  internally  funded  or  debt  financed 

•  ensure  budgets  include  the  estimated  future  operating  costs  associated 
with  new  capital 


Funding 
options 
three  sources 


Background 

There  are  three  sources  of  funding  for  a  capital  project: 

•  externally  funded  (e.g..  gen  eminent,  donations) 

•  internally  funded  (from  AHS's  surplus  reserves) 

•  debt  funded  (debt  obtained  and  paid  down  through  operating  surplus 
resen  es) 


Authorities 
prepared  a 
multi-year  capital 
plan 


Capital  projects 
require  approval 
from  the  Minister 


Major  health  sector  capital  projects  are  approved  at  the  prov  incial  level  within 
the  context  of  the  government's  annual  capital  budget  and  provincial  priorities. 
Each  year,  the  regional  health  authorities  (the  "Authorities")  were  required  to 
submit  a  multi-year  capital  plan  to  the  Department  of  Health  and  \\  ellness  and 
the  Department  of  Infrastructure.  Each  Authority's  capital  plan  identified, 
justified  and  prioritized  major  capital  projects  needed  over  the  next  three  years 
and  in  the  longer  term.  As  well,  one  of  the  four  primary  purposes  of  the 
multi-year  capital  plan  was  to  prov  ide  a  preliminary  estimate  of  the  operating 
cost  implications  of  the  proposed  capital  inv  estments.  The  Department  of 
Health  and  Wellness  and  the  Department  of  Infrastructure  used  a  rating  system 
to  determine  the  government's  health  capital  priorities,  which  roll  up  into  the 
prov  incial  health  plan.  The  prov  incial  health  plan  was  then  incorporated  into 
the  prov  incial  capital  plan. 

The  Regional  Health  Authority  Regulation1  states  that  no  Authority  shall, 
u  ithout  written  consent  of  the  Minister,  enter  into  a  capital  development 
project  that  has  a  v  alue  in  excess  of  an  amount  specified  by  the  Minister  in  a 
directive.  Although  there  is  no  directive  that  specifies  a  dollar  amount. 
Authorities  have  included  projects  that  exceed  $2.5  million  in  their  capital 
plans.  As  well,  the  Hospitalization  Benefits  Regulation 16  defines  minor  capital 
projects  as  those  with  an  estimated  cost  of  less  than  S2.5  million.  For  projects 


15  Alta.  Reg.  15/95 

16  Alta.  Reg.  244/1990 
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funded  through  the  issue  of  debentures  or  otherwise,  this  Regulation  also 
requires  Authorities  to  obtain: 

•  Treasury  Board's  approval  for  projects  exceeding  $2.5  million 

•  the  Minister  of  Health  and  Wellness's  approval  for: 

•  minor  construction  projects  requiring  a  minor  construction  grant 

•  all  construction  projects  funded  through  borrowing 

Criteria:  the  standards  we  used  for  our  audit 

AHS  should  have  effective  processes  to: 

•  obtain  Ministerial  approval  for  major  capital  projects,  prior  to  starting 
them 

•  secure  adequate  funding  before  entering  into  contractual  commitments  for 
capital  projects 

Our  audit  findings 

The  Authorities  processes  for  approving  internally  funded  or  debt-financed 
projects  need  to  be  improved.  While  the  Regional  Health  Authority  Regulation 
refers  to  a  directive  that  is  supposed  to  specify  the  dollar  limit  for  projects  that 
require  the  Minister's  approval,  we  were  unable  to  find  this  directive. 
However,  both  the  capital  plan  and  Hospitalization  Benefits  Regulation  refer  to 
capital  project  limits  of  $2.5  million. 

The  Authorities  incurred  total  expenditures  and  contractual  commitments  of 
$277  million  on  the  capital  projects  we  examined,  but  they  had  not  secured 
adequate  funding  (external,  internal  or  debt  financed)  before  starting  these 
projects.  By  2008,  the  Authorities  had  accumulated  deficits  of  $97  million. 
Authorities  in  an  accumulated  deficit  position  did  not  have  surplus  reserves  to 
fund  capital  projects,  either  internally  or  through  debt  financing.  The  boards  of 
the  Authorities  generally  approved  these  projects,  but  the  Minister  of  Health 
and  Wellness  did  not. 

The  following  are  some  examples  of  internally  funded  projects  that  were 
started  before  financing  was  obtained: 

•  Calgary  Health  Region  planned  to  obtain  debt  financing  to  construct 
two  parkades.  It  incurred  costs  of  $44  million  and  had  contractually 
committed  an  additional  $124  million  as  of  December  2008  for  the 

two  projects,  but  did  not  secure  debt  financing  before  starting  the  projects. 
Nor  did  Calgary  Health  Region  have  accumulated  surpluses  to  fund  the 
parkades  with  internal  funds. 

•  At  March  3 1 ,  2008,  Capital  Health  had  internally  funded  budget 
commitments  of  $305.5  million,  which  was  $294.3  million  in  excess  of 
the  internally  restricted  and  unrestricted  net  assets  as  well  as  debt 
financing  available.  As  of  January  2009,  Capital  Health  had  capital 
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projects  that  fit  within  this  category,  with  total  commitments  of 
approximately  $81  million.  C  apital  Health  did  not  have  sufficient  internal 
reserves  in  place  to  fund  these  projects. 

•  Peace  Country  Health  had  incurred  total  commitments  of  $6.4  million  for 
two  capital  projects,  although  it  did  not  have  secured  funding  (external, 
internal  or  debt  financing)  in  place  for  any  of  these  projects. 

The  Authorities'  multi-year  capital  plans  did  not  consider  the  operating  cost 
implications  for  all  capital  projects.  Alberta  Health  and  W  ellness  funded  the 
Authorities  through  global  funding,  which  was  based  on  population 
characteristics.  Historically,  the  Authorities  spent  all  of  their  operating  funds 
delivering  services  within  their  existing  capital  structure.  Therefore,  the 
increased  operating  costs  associated  w  ith  capital  projects  were  not  considered 
in  the  overall  capital  project  budget.  We  identified  this  issue  in  our  2005  2006 
audit  of  the  Department  of  Health  and  Wellness's  systems  for  funding 
Authorities.  It  remains  an  issue  that  is  also  now  more  significant  given  the 
number  of  capital  projects  that  AHS  is  responsible  for  and  its  budget 
challenges. 

Implications  and  risks  if  recommendation  not  implemented 

If  AHS  does  not  secure  sufficient  funding  for  capital  projects  before  they  start, 
it  may  need  to  re-divert  operating  funding    intended  for  health  care  service 
delivery — to  cover  unfunded  capital  project  costs.  If  approval  is  not  obtained 
from  the  Minister  of  Health  and  W  ellness,  the  Minister  may  not  be  aware  of  all 
major  capital  development  projects  and  the  risks  associated  with  them, 
including  future  operating  costs.  As  well,  from  a  pro\  incial  perspective,  the 
capital  project  may  not  be  considered  a  priority,  resulting  in  the  completion  of 
lower  priority  capital  projects  versus  higher  priorities.  As  well,  if  AI  IS  docs 
not  adequately  budget  for  future  operating  costs  associated  with  capital 
projects,  they  may  not  have  sufficient  funding  to  operate  the  planned  facility. 

2.5.3  Capital  project  monitoring  systems 
Recommendation  No.  32 

We  recommend  that  Alberta  Health  Services  improve  the  efficiency  and 
effectiveness  of  its  financial  capital  project  monitoring  and  reporting 
systems  and  processes  by: 

•  implementing  common  systems,  policies  and  procedures  to  track  and 
monitor  key  financial  information 

•  providing  relevant,  timely  and  accurate  information  to  Executive 
Management  and  the  Audit  and  Finance  Committee 
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I  inancial 
in  formation 
critical 


Financial 
management 
systems  need 
improvement 


Se\  era!  different 
systems  used 


Examples  of 
inefficiencies  and 
errors 


Background 

Key  financial  information  such  as  the  approved  budget,  contractual 
commitments,  change  orders,  actual  and  forecasted  costs  are  critical  to 
effectively  monitor  capital  projects  and  to  report  their  status  to  Alberta  Health 
Services  (AHS)  executive  management  and  the  Audit  and  Finance  Committee. 

Criteria:  the  standards  we  used  for  our  audit 

AHS  should  have  effective  and  efficient  financial  management  systems  to 
monitor  and  report  financial  information  on  capital  projects  promptly.  This 
includes  information  on  project  budgets,  commitments,  secured  funding,  actual 
and  forecasted  expenditures  and  future  operating  costs. 

Our  audit  findings 

The  Authorities  used  a  variety  of  financial  capital  project  monitoring  and 
reporting  systems  and  processes.  These  systems  and  processes  were  inefficient, 
prone  to  errors,  and  did  not  enable  staff  to  efficiently  produce  timely,  relevant 
and  accurate  financial  information  for  AHS  executive  management  and  the 
Audit  and  Finance  Committee. 

Information  technology  systems 

The  Authorities  used  a  variety  of  project  management  systems  to  track  capital 
project  financial  information  such  as  budgets,  commitments  and  actual  costs. 
Thus,  it  was  time-consuming  to  create  a  complete  report  with  key  financial 
information  of  all  capital  projects  in  the  Authorities. 

Some  financial  capital  project  management  systems  were  inefficient  and  prone 
to  error.  For  example: 

•  Capital  Health  had  a  separate  capital  project  management  system  that 
tracked  budgets,  commitments  and  actual  costs,  but  finance  staff  had  to 
re-enter  invoices  in  the  financial  reporting  system.  Capital  Health  did  not 
agree  the  information  between  the  two  systems  to  ensure  the  information  it 
used  to  monitor  and  report  on  capital  projects  was  complete  and  accurate. 

•  Peace  Country  Health  and  East  Central  Health  entered  the  actual  costs  into 
their  financial  reporting  systems,  and  then  used  complex  spreadsheets  to 
extract  the  information  from  these  systems.  However,  neither  the  financial 
reporting  system  nor  the  spreadsheets  tracked  key  financial  information 
such  as  contractual  commitments.  East  Central  Health  depended  on  one 
employee  to  ensure  complex  spreadsheets  functioned  properly.  After  the 
employee  left,  other  staff  had  difficulty  producing  the  same  information. 

•  East  Central  Health  used  a  manual  project  binder  to  track  and  monitor 
actual  costs  against  contractual  commitments.  This  was  time  consuming 
and  prone  to  errors. 
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Access  to  systems 
needs  to  he 
impro\  ed 


•     In  Peace  C  ountry  Health's  capital  project  spreadsheets,  we  noted 

inaccuracies  in  the  data.  For  example,  in  one  case,  the  forecasted  costs  for 
the  project  were  only  $578. ()()().  which  were  less  than  the  actual  costs 
incurred  to  date  of  $61  1.000. 

In  addition.  C  apital  Health  and  Peace  Country  Health  can  improve  the  access 
controls  to  their  capital  project  management  systems  and  spreadsheets.  They 
did  not  have  clear  policies  and  processes  to  ensure  only  appropriate  staff  had 
access  to  these  systems. 


Reporting  is  not 
complete  or 
accurate 


Record  costs  promptly  and  consistently 

Capital  project  reports  provided  to  AHS  executive  management  and  the  Audit 
and  Finance  Committee  are  not  complete  and  are  not  accurate  because 
significant  capital  project  costs  that  arc  incurred,  but  not  yet  paid,  are  not 
recorded  on  a  timely  or  consistent  basis.  Monthly  .  Calgary  Health  Region  and 
Capital  Health  recorded  the  significant  unpaid  costs  incurred  for  capital 
projects.  But  Calgary  Health  Region  did  not  have  guidance  for  staff  that  sets  a 
threshold  they  can  use  to  determine  w  hich  unpaid  transactions  should  be 
recorded — this  decision  was  based  on  the  professional  judgment  of  staff.  Fast 
Central  Health  and  Peace  Country  Health  only  recorded  unpaid  but  incurred 
costs  at  year-end.  They  did  not  record  them  monthly  or  quarterly. 


New  monthly 
status  report 
implemented 


Reporting  to  AHS  executive  management  and  the  Audit  and  Finance 
Committee 

In  January  2009,  AHS  implemented  a  standard  monthly  project  status  report 
template  for  government  funded  capital  projects  exceeding  $2.5  million.  These 
reports  include  an  update  on  the  project  status,  milestone  dates  as  well  as  kc\ 
financial  information  such  as  budget,  funding  secured,  year-to-date 
expenditures,  outstanding  commitments,  forecasted  expenditures  and  variance 
explanations.  However,  this  reporting  template  is  not  required  for  projects  that 
are  funded  through  other  sources,  such  as  donations,  internal  reserves  or 
financed  through  debt. 


Reporting  to  the 
Committee  needs 
improvement 


In  November  2008,  the  AHS  executive  management  presented  a  report  to  the 
Audit  and  Finance  Committee  listing  all  capital  projects  in  progress  in  the 
Authorities.  The  report  included  the  approved  budget,  funding  source  and 
forecasted  costs  by  project.  However,  AHS's  reporting  could  be  improved  by: 

•  providing  it  to  the  Audit  and  Finance  Committee  at  least  quarterly 

•  including  totals  for  key  financial  information 

•  including  contractual  commitments 

•  identifying  the  internal  funds  that  arc  available  for  internally  funded 
projects 
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•  including  estimated  future  operating  costs  associated  with  new 
infrastructure 

Implications  and  risks  if  recommendations  not  implemented 

AHS  may  not  be  able  to  effectively  approve,  monitor  and  control  capital 
projects,  resulting  in  cost  overruns  and  missed  deadlines.  Inefficient  systems 
and  processes  increase  costs  and  the  risk  of  errors. 

2.6  Year-end  financial  reporting  processes 
Recommendation 

We  recommend  that  Alberta  Health  Services  improve  its  year-end 
financial  reporting  processes  by: 

•  clearly  defining  roles,  responsibilities  and  decision  making  authorities 
for  financial  reporting 

•  improving  processes  to  identify  and  resolve  key  accounting  risks  and 
reporting  issues  on  a  timely  basis 

Background 

Although  the  nine  regional  health  authorities,  two  provincial  boards  and 
AADAC  (the  "Authorities")  were  amalgamated  into  one  health  authority — 
Alberta  Health  Services  (AHS)— on  April  1,  2009,  each  Authority  was 
required  to  produce  its  own  financial  statements  for  the  year  ended 
March  3  1 ,  2009.  On  April  1,  2009,  all  the  Authorities  amalgamated  with  East 
C  entral  Health  (ECH),  whose  name  changed  to  Alberta  Health  Services. 

In  2008-2009,  several  staff  in  the  Authorities'  finance  departments  either  quit 
or  w  ere  terminated.  Most  of  these  positions  were  not  replaced  and  each 
Authority  operated  within  its  remaining  staff  capacity.  The  vacant  positions 
were  at  all  levels,  including  senior  management,  as  well  as  lower  level 
positions.  In  addition,  a  number  of  the  remaining  members  of  senior 
management,  including  the  CFOs,  were  assigned  positions  to  assist  with  the 
AHS  transition. 

Criteria:  the  standards  we  used  for  our  audit 

Responsibility  for  financial  reporting  should  be  clearly  defined  and 
communicated  and  there  should  be  appropriate  processes  and  controls  in  place 
to  ensure  that  year-end  financial  statements  are  accurate,  complete  and  timely. 

Our  audit  findings 

The  lack  of  clear  roles,  responsibilities  and  direction  provided  to  the 
Authorities  by  AHS  resulted  in  inaccurate,  incomplete  and  untimely  financial 
statements  as  well  as  an  inefficient  year-end  audit  process.  Most  Authorities 
had  significant  errors  in  their  financial  statements  that  had  to  be  corrected.  The 
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Authorities  corrected  errors  totalling  SI 47  million  that  were  identified  through 
our  audits.  Hrrors  not  adjusted  by  the  Authorities  totalled  $1°-  million.  As  a 
result  of  the  issues  arising,  the  audit  of  AHS  took  significantly  longer  than 
expected  and  resulted  in  substantial  additional  out-of-pocket  costs. 


Complete  and 
accurate  financial 
statements  not 
produced  within 
timelines 


Competing 
demands  eaused 
inefficiencies  and 
quality  suffered 


Lack  of 

responsibility  and 
accountability 


Due  to  staff  turnover  in  the  finance  departments  and  unique  transactions 
associated  with  the  AHS  transition,  all  of  the  Authorities  struggled  \\  ith 
producing  complete  and  accurate  financial  statements  w  ithin  the  predetermined 
and  agreed  timelines.  In  most  Authorities,  there  were  significant  delays  in 
receiving  draft  financial  statements  and  supporting  documentation  to  facilitate 
the  year-end  audit  process.  In  one  Authority,  draft  financial  statements  w  ere 
not  completed  until  two  weeks  after  the  deadline.  Although  most  Authorities 
submitted  financial  statements  to  the  Department  of  Health  and  W  ellness  at  the 
end  of  April  2009,  some  information  in  the  financial  statements  did  not  have 
sufficient  supporting  documentation  to  substantiate  the  amounts  at  that  time. 
Most  Authorities  did  not  have  reasonably  complete  financial  statements  and 
supporting  documentation  available  for  audit  until  May  12.  2009 — two  weeks 
after  the  agreed  upon  deadline. 

At  year-end.  as  well  as  during  the  audit.  AHS  gave  the  Authorities*  finance 
departments  a  number  of  unrelated  tasks  w  ith  deadlines.  The  year-end 
reporting  and  audit  did  not  appear  to  be  a  priority,  which  created  significant 
inefficiencies.  The  financial  statements  and  supporting  documentation  lacked 
quality. 

There  was  no  clear  understanding  w  ithin  the  Authorities  on  w  ho  w  as 
responsible  or  accountable  for  the  March  31,  2009  financial  reporting.  In 
previous  years,  each  Authority  operated  independently  in  determining  certain 
accounting  policies,  making  professional  judgments  and  determining 
accounting  estimates  that  impacted  its  year-end  financial  statements.  However, 
with  the  transition  to  AHS,  it  was  not  clear  what  AHS's  role  was  in  preparing 
the  Authorities*  financial  statements,  making  professional  judgments  and 
determining  the  estimates.  Although  AHS  provided  some  year-end  accounting 
directions  to  the  Authorities  on  an  ad  hoc  basis,  the  Authorities  did  not  always 
follow  the  directions. 


Unique 
transactions 
needed  guidance 
from  AHS 


There  were  a  significant  number  of  unique  transactions  resulting  from  the 
transition  to  AHS.  and  other  matters,  that  required  direction  from  AHS 
management  to  ensure  transactions  were  recorded  consistently,  appropriately 
and  completely  within  the  Authorities  financial  statements.  In  a  number  of 
instances.  AHS  either  did  not  provide  this  direction,  provided  incorrect 
direction  or  did  not  provide  the  direction  on  a  timely  basis,  w  hich  resulted  in 
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incomplete  and  inaccurate  financial  statements  in  the  Authorities.  Examples 
include: 

•  East  Central  Health  (ECH)  received  an  $80  million  grant  from  the 
Department  of  Health  and  Wellness  (Health)  for  transition  expenses. 
Although  the  grant  was  provided  to  ECH,  each  of  the  Authorities  had  also 
incurred  and  recorded  transition  expenses.  AHS  provided  direction  to  the 
Authorities  on  accounting  for  these  transition  expenses  and  for  the  grant 
received  from  Health  through  ECH.  However,  AHS  did  not  consult  with 
Health;  the  accounting  direction  they  provided  was  not  correct.  This 
resulted  in  errors  totalling  $49  million  in  ECH's  financial  statements  as 
well  as  in  significant  classification  errors  within  each  of  the  Authority's 
financial  statements. 

•  Included  in  the  $80  million  transition  grant  from  Health  was  designated 
funding  for  the  Authorities*  unfunded  supplementary  retirement  plans. 
When  we  consulted  with  AHS,  they  did  not  understand  the  restrictions 
associated  with  the  funding  and  how  it  should  be  accounted  for.  After 
seeking  clarification  from  Health,  it  was  determined  that  four  Authorities 
had  understated  their  revenues  by  $21  million. 

•  EC!  1  received  a  $63  million  capital  grant  from  Health  for  capital  projects 
in  other  Authorities.  ECH  was  not  aware  of  this  grant  and  had  not 
confirmed  with  the  other  Authorities  if  any  of  these  funds  were  spent  prior 
to  the  year-end. 

•  Prior  to  year-end,  the  AHS  President  and  CEO  approved  an  additional 

$7  million  expense  to  transfer  employees'  service  from  the  Public  Service 
Pension  Plan  to  the  Local  Authorities  Pension  Plan,  for  Alberta  Cancer 
Board  (ACB)  and  AADAC  employees.  AHS  was  not  aware  of  this 
decision,  although  the  ACB  and  AADAC  were.  The  $80  million  grant 
EC!  1  received  from  Health  included  designated  funds  to  cover  this 
expense,  but  neither  ACB,  AADAC  nor  ECH  recorded  this  transition 
expense. 

»     Given  the  economic  downturn,  there  was  an  increased  likelihood  that 
Authorities  had  experienced  losses  in  their  investment  portfolios.  The 
Authorities  needed  to  complete  a  detailed  analysis  to  determine  if  the 
losses  should  be  recognized  in  their  surplus  or  deficit  for  the  year.  AHS 
provided  guidance  to  the  Authorities  on  this  matter,  but  only  two  weeks  in 
advance  of  their  year-end. 

►     Although  there  was  a  process  to  confirm  transactions  between  the 

Authorities,  discrepancies  were  not  followed  up  or  resolved.  There  was  no 
oversight  review  process  by  AHS. 
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Implications  and  risks  if  recommendation  not  implemented 

AHS  may  have  inaccurate,  incomplete  and  untimely  financial  statements  and 
management  may  make  incorrect  financial  decisions  if  it  relies  oil  this 
information. 

2.7  Expenditure  policies  and  approvals 
Recommendation 

We  recommend  that  Alberta  Health  Services  improve  the  efficiency  and 
effectiveness  of  its  expense  approval  controls  by: 

•  developing  and  implementing  a  clear  and  comprehensive  expenditure 
approval  policy 

•  automating  the  expenditure  controls  within  the  purchasing  system 
Background 

S9.9  billion  m  For  fiscal  2008-2009.  the  Authorities  (nine  regional  health  authorities, 

expenses  ^q  provincial  health  boards  and  AADAC)  incurred  expenditures  totalling 

$9.9  billion.  Of  this,  $4.5  billion  was  processed  using  the  Authorities' 
purchasing  systems,  while  the  remaining  $5.4  billion  was  processed  using  the 
Authorities*  payroll  systems. 

Criteria:  the  standards  we  used  for  our  audit 

Expenses  should  be  appropriately  approved  in  accordance  with  an  expenditure 
approval  policy  and  the  process  and  controls  for  verifying  authorization  should 
be  efficient  and  effective. 


Expense  approval 
policies  need  to  be 
improved 


Our  audit  findings 

The  Authorities'  expense  approval  policies  were  inconsistent;  some  were  not 
clear  and  one  Authority  didn't  even  have  one.  For  example,  in  one  Authority 
the  expense  approval  policy  defined  the  authorization  limits  for  non-routine 
transactions  only.  Authorization  limits  for  routine  transactions  were  not 
defined.  As  well,  expense  approval  controls  were  not  operating  effectively  in 
one  Authority. 


Manual  approval 
\  erification 
processes  used 


In  all  but  one  Authority,  manual  verification  processes  were  used  to  ensure 
expenditures  were  appropriately  authorized.  Capital  Health  used  automated 
system  controls  to  verify  approval.  Given  the  volume  of  transactions  Alberta 
Health  Serv  ices  w  ill  be  processing  in  the  future  and  the  number  of  employees 
that  will  be  involved  in  the  processes,  it  is  critical  that  AHS  have  a 
comprehensive,  clear,  efficient  and  effectiv  e  expense  approval  policy.  The) 
should  consider  automating  the  approval  controls. 
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Implications  and  risks  if  recommendation  not  implemented 

Given  the  volume  of  transactions  and  number  of  expenditure  officers, 
manually  verifying  expense  authorizations  is  inefficient  and  ineffective.  If 
expenses  are  not  appropriately  authorized  in  accordance  with  a  clear  and 
comprehensive  expense  approval  policy,  inappropriate  expenses  and 
disbursements  may  occur. 

2.8  Approval  of  drug  purchases 
Recommendation 

We  recommend  that  Alberta  Health  Services  improve  controls  for  drug 
purchases  by  ensuring  they  are  properly  approved  and  duties  are 
appropriately  segregated. 

Background 

Calgary  Health  Region's  ("the  Authority")  inventory  technicians  process  drug 
purchase  orders  in  the  Centricity  system  and  place  the  order.  Once  the  drugs 
are  received,  the  quantities  are  also  entered  into  Centricity  by  the  receiving 
clerks.  Inventory  technicians  receive  the  invoice  and  match  the  invoice  to  the 
purchase  order  and  receiving  information.  The  invoice,  purchase  order  and 
receiving  report  are  then  forwarded  to  the  Accounts  Payable  Department  for 
payment. 

The  Authority  spent  approximately  $90  million  on  drugs  and  gases  each  year. 
Criteria:  the  standards  we  used  for  our  audit 

Drug  purchases  should  be  approved  by  an  expenditure  officer  before  orders  are 
placed. 

Our  audit  findings 

Although  the  inventory  technicians  were  instructed  not  to  enter  receiving 
information  into  Centricity,  they  had  the  ability  to  do  so.  As  well,  we  tested 
1 5  drug  purchases  and  found  that  none  of  them  were  approved.  The  in  ventory 
technicians  who  processed  the  drug  purchase  orders  were  not  expenditure 
officers  and,  therefore,  did  not  have  delegated  authority  to  approve  the 
purchase.  The  invoices  were  also  not  approved  by  any  other  expenditure 
officer. 

Implications  and  risks  if  recommendation  not  implemented 

If  drug  purchases  are  not  authorized,  Alberta  Health  Services  may  incur 
inappropriate  purchases  and  financial  losses. 
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2.9  Physician  recruitment  incentives 
Recommendation 

We  recommend  that  Alberta  Health  Services  improve  controls  for 
physician  recruitment  incentives  In  developing  and  implementing  a  policj 
that  identities: 

•  criteria  and  approvals  required  tor  granting  loans,  income  guarantees 
and  relocation  allowances 

•  monitoring  and  collection  procedures  tor  physician  loans 


Loans,  income 
support  and 
relocation 
allowances 
provided  to 
physicians 


Background 

Palliser  Health  Region  ("the  Authority,'')  had  entered  into  recruitment 
agreements  with  physicians.  These  agreements  included  loans  to  assist 
physicians  in  establishing  their  practices,  income  support  by  way  of  an  income 
guarantee  for  a  defined  period  and  relocation  allowances.  The  recruitment 
agreements  documented  the  terms  of  the  loan,  the  income  support 
specifications  and  amount  of  the  relocation  allowance  as  applicable. 


S79 1,000  in  loans 
outstandinn 


The  loans,  issued  in  increments  of  up  to  $100,000,  were  to  be  repaid  over  a 
three-year  term  and  were  interest-free  in  the  first  year.  At  March  3 1 .  2009,  the 
Authority  had  recorded  a  receivable  for  $791,000  related  to  16  physician  loans. 


Income 

guarantees  ranged 
from  S200.000  to 
S400.000 


Of  the  16  recruitment  agreements  that  had  loans  outstanding,  six  included 
income  guarantee  specifications  ranging  from  $200,000  to  $400,000  covering 
the  first  two  years  of  the  physician's  practice.  The  income  guarantee  on  five  of 
these  loans  expired  in  2008-2009. 


Criteria:  the  standards  we  used  for  our  audit 

Policy  and  procedures  should  be  established  and  followed  for  approving  the 
components  of  recruitment  agreements.  Procedures  should  be  implemented  for 
monitoring  and  collecting  physician  loans. 


No  policies  for 
physician 
recruitment 
incentives 


Our  audit  findings 

The  Authority  did  not  have  a  policy  for  granting  physician  recruitment 
incentives,  including  the  loans.  In  2008-2009,  the  (then)  Chief  Executive 
Officer  or  the  Chief  Financial  Officer  for  the  Authority  authorized  six  loans 
totalling  $400,000.  Of  the  recruitment  agreements  where  loans  were  issued  in 
the  year,  one  recruitment  agreement  included  an  income  guarantee 
specification  of  $300,000  for  the  first  two  years  of  practice.  The  Authority  also 
provided  relocation  allowances  aggregating  to  $139,000. 
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The  Authority  did  not  have  documented  procedures  for  collecting  and 
monitoring  the  loans.  Monitoring  was  performed  informally  by  the  Chief 
Financial  Officer  and  loan  interest  was  not  recognized  until  the  final  loan 
payment  had  been  received. 

Implications  and  risks  if  recommendation  not  implemented 

Without  appropriate  policies  and  procedures,  controls  for  physician  loans  or 
income  guarantees  may  be  inadequate  and  Alberta  Health  Services  may  make 
inappropriate  loans  or  guarantees,  resulting  in  financial  losses. 

2.10  Compliance  with  investment  policy 
Recommendation 

We  recommend  that  Alberta  Health  Services  communicate  its 
in\  estment  policy  to  its  asset  manager  and  monitor  its  investment 
portfolio  on  a  regular  basis  to  ensure  compliance  with  the  investment 
policy. 

Background 

David  Thompson  Health  Region  ("the  Authority')  had  "Borrowing  and 
Investment  B>  laws"  that  provided  minimum  and  maximum  percentages  for 
its  investment  portfolio  as  follows: 


No  procedures  for 
monitoring  or 
collecting  loans 


Investment 
bylaws  and  policy 
statement  exist 


Minimum 

Maximum 

Cash  and  cash  equivalents 

20% 

100% 

Fixed  income 

0% 

60% 

Equities 

0% 

20% 

The  Authority  also  had  an  investments  policy  statement  that  provided  more 
specific  guidance. 


Criteria:  the  standards  we  used  for  our  audit 

The  composition  of  an  Authority's  investment  portfolio  should  comply  with 
any  related  bylaws  or  investment  policies. 
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Our  audit  findings 

Authority  not  in  \yc  compared  the  composition  of  the  Authority's  investment  portfolio  at 

compliance  with  March  3 1  2009,  to  the  "Borrowing  and  Investment  Bylaws"  and  the 

in\  estment  policy 

statement  Investments  Policy  Statement.  The  investment  portfolio  appeared  to  be  fully 

compliant  with  the  "Borrowing  and  Investment  Bylaws."  I  low  ever,  within 
the  Investments  Poliev  Statement,  the  Authoritv  was  not  in  compliance  with 
the  follow  ing  tw  0  items: 

•  Corporate  Bonds — investment  may  be  made  only  in  bonds  rated  A  or 
higher  and  in  total  no  more  than  5%  of  the  Authority's  total  bond 
portfolio  may  be  invested  in  corporate  bonds. 

•  Non-Canadian  equities — will  be  limited  to  30%  of  the  total  equity 
portfolio. 

Specifically,  we  noted  that  at  March  31,  2009.  the  Authority  had 
approximately  $4.4  million  invested  in  the  TD  Private  Canadian  Corporate 
Bond  Fund.  This  represented  approximately  43°  0  of  the  Authority's  total 
bond  portfolio — well  in  excess  of  the  5%  allocation  to  corporate  bonds 
envisioned  by  the  Investment  Policy. 

At  March  31,  2009.  the  Authority's  US  equities  had  a  market  value  of 
approximately  $1.6  million,  representing  about  38%  of  the  Authoritv 's  equity 
portfolio,  exceeding  the  prescribed  30%. 

Implications  and  risks  if  recommendation  not  implemented 

[f  the  investment  portfolio  is  not  in  compliance  w  ith  the  Alberta  I  lealth 
Service's  underlying  bylaws  and  policies,  the  investment  portfolio  may  be 
subject  to  more  risk  than  intended  by  its  oversight  body. 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  Ministry  and  Department  financial  statements  for  the 

au  1  or  s  opinions  ended  March  3 1 ,  2009,  are  unqualified.  The  Ministry  consolidated  the  health 

authorities  and  health  boards  using  the  modified  equity  method.  The  modified 
equity  method  is  allowed  as  a  transition  to  line-by-line  consolidation,  which  will  be 
required  for  the  year  ending  March  3  1 .  2010. 

We  issued  unqualified  auditor's  opinions  on  the  financial  statements  for  the  year 
ended  March  31,  2009  of  the  following  entities: 

•  Alberta  Alcohol  and  Drug  Abuse  Commission 

•  Alberta  Cancer  Board,  and  Alberta  Cancer  Foundation 

•  Alberta  Mental  Health  Board 
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•  Aspen  Regional  Health  Authority 

•  Calgary  Health  Region,  Calgary  Laboratory  Services  Ltd.,  and  Carewest — its  1 
wholly  owned  subsidiaries  i 

•  Capital  Health,  and  Capital  Care  Group  Inc. — its  wholly  owned  subsidiary  a 

•  Chinook  Regional  Health  Authority  ( 

•  David  Thompson  Health  Region 

•  East  Central  Health  1 

•  Health  Quality  Council  of  Alberta  < 

•  Northern  Lights  Health  Region  ( 

•  Palliser  Health  Region  i 

•  Peace  Country  Health 


Unqualified 
review 

engagement  report 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Housing  and  Urban  Affairs 

Summary 

The  Department  should  improve  processes  for  monitoring  direct  rent  supplement 
pa\  ments    sec  below 

The  Department  has  implemented  our  recommendation  to  assess  the  status  of  funds 
advanced  to  grant  recipients  for  affordable  housing — see  page  284 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    Direct  rent  supplement  program  payments 
Recommendation 

We  recommend  that  the  Department  of  Housing  and  Urban  Affairs 
improve  its  monitoring  processes  of  direct  rent  supplement  payments 
issued  by  management  bodies,  by  requiring  periodic  reviews  of  these 
payments. 


Grants  are 
provided  to 
management 
bodies 


Background 

The  Department  of  Housing  and  Urban  Affairs  administers  the  direct  rent 
supplement  program.  The  Department  provides  grants  to  the  management 
bodies.1  Management  bodies  then  provide  assistance  to  Albertans  who  need 
help  paying  for  their  rent.  The  management  bodies  are  required  to  maintain  the 
funds  in  a  separate  bank  account  and  return  any  portion  of  uncommitted  funds 
within  90  days.  The  grants  totalled  $40  million  for  the  year  ended 
March  3 1 ,  2009. 


Department  enters 
into  agreements 
with  management 
bodies  to  deliver 
program 


The  Department  has  entered  into  agreements  for  delivery  of  this  program  with 
40  management  bodies.  There  are  seven  major  management  bodies  delivering 
this  program  in  the  following  areas:  Edmonton,  Calgary,  Fort  McMurray, 
Grande  Prairie,  Red  Deer,  Medicine  Hat  and  Lethbridge.  For  these  management 
bodies,  they  approve  the  applications  for  the  direct  rent  supplement  program. 
For  other  management  bodies,  the  Department  reviews  and  approves  each 
application.  Each  management  body  receives  an  administration  fee  to  cover  the 
costs  of  processing  the  application  and  making  payments. 


1  Management  bodies  are  not-for-profit  organizations  that  are  established  under  the  Alberta  Housing  Act,  R.S.A.  2000, 
c.A-25.  Management  bodies  administer  the  Ministry's  affordable  housing  assets.  There  are  over  130  management  bodies 
located  throughout  Alberta. 
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Criteria:  the  standards  we  used  for  our  audit 

Processes  should  exist  to  ensure  that  payments  made  by  management  bodies  on 
behalf  of  the  Department  are  supported  and  accurate. 

Our  audit  findings 

Management  bodies  that  administer  the  direct  rent  supplement  payments 
provide  monthly  detailed  reports  on  who  was  paid,  the  payee's  address,  and 
how  much  was  paid.  The  management  bodies  also  provide  information  on  what 
additional  funding  is  needed  to  meet  expected  demand.  However,  the 
Department  does  not  periodically  review  or  obtain  other  assurance  that 
payments  are  appropriate  and  supported. 

The  Department  requires  audits  of  the  financial  statements  of  the  management 
bodies  for  the  purposes  of  funding  their  operating  surplus  and  deficit.  However, 
the  direct  rent  supplement  payments  are  not  included  in  the  management 
bodies"  financial  statements  submitted  to  the  Department.  Therefore,  these 
payments  are  not  included  in  the  scope  of  these  financial  statement  audits. 

Implications  and  risks  if  recommendation  not  implemented 

Payments  made  by  management  bodies  may  not  be  supported. 

2.   Affordable  housing — implemented 

In  our  October  2008  Report  (page  336),  we  recommended  that  the  Ministry  of 
Housing  and  Urban  Affairs  assess  the  status  of  funds  advanced  to  grant 
recipients  who  have  not  commenced  the  construction  of  affordable  housing 
projects. 

Management  agreed  with  this  recommendation.  Steps  taken  by  management  to 
implement  this  recommendation  included: 

•  assessing  the  status  of  advanced  funds  for  projects  approved  from 
2003-2004  to  2007-2008 

•  quarterly  reporting  on  project  status 

•  revising  the  payment  schedule  for  new  grant  agreements 

•  adding  provisions  to  the  grant  agreement  specifying  construction  timelines 
and  quarterly  reporting 


No  periodic 
review 


Status  of  funds 
advanced  for 
affordable  housing 
projects  is  now- 
being  assessed 
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Financial  statements 

Unqualified  Qur  auditor's  opinions  on  the  financial  statements  of  the  Ministry.  Department  and 

a   itor  s  opinions    ^  Alberta  Social  Housing  Corporation  for  the  year  ended  March  3 1 ,  2009  were 
unqualified. 


Unqualified 
review 

engagement  report 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Infrastructure 

Summary 


The  Ministry  should: 

•  develop  and  implement  an  information  technology  risk  assessment 
framcw  ork    sec  below 

•  improve  password  controls  or  implement  compensating  controls  to  control 
access  to  applications — see  page  288 


Our  audit  findings  and  recommendations 

1 .    IT  risk  management 
Recommendation 

We  recommend  that  the  Ministry  of  Infrastructure  develop  and  implement 
an  information  technology  risk  management  framework. 

Background 

IT  risk  management  is  the  analysis,  identification,  documentation,  assessment, 
and  prioritization  of  risks,  followed  by  coordinated  and  economical  application 
of  resources  to  minimize,  monitor,  and  control  the  probability  and/or  impact  of 
unfortunate  events.  IT  risks  can  originate  from  many  sources,  including  project 
failures,  accidents,  natural  causes  and  disasters,  as  well  as  deliberate  attacks. 
Several  risk  management  standards  have  been  developed,  including  the  Project 
Management  Institute.  COSO  and  ISO  standards. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  of  Infrastructure  should: 

•  have  a  comprehensive  risk  management  framework  that  identities  all 
information  technology  risks  that  it  must  manage 

•  implement  control  processes  to  economically  manage  or  mitigate  identified 
information  technology  risks 

Our  audit  findings 

The  Ministry  assesses  risks  in  its  IT  environment  as  part  of  their  ongoing 
operations  through  activ  ities  including  business  continuity  planning  (BCP)  and 
project  management.  By  assessing  risk  on  case-by-case  situations,  like  when 
they  are  evaluating  a  new  project,  the  Ministry  is  only  able  to  obtain  a  limited 
view  of  the  risks  affecting  their  environment.  The  Ministry  does  not  currently 
have  a  process  to  collate  all  of  these  risk  assessments  from  the  projects,  BCP 
and  other  sources,  to  understand  IT-related  risks  (such  as  changes  in  technology 
and  threats  from  new  malvvare),  and  to  be  sure  that  all  risks  are  identified  and 
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mitigated.  The  Ministry  relies  on  the  expertise  and  knowledge  of  its  senior 
management  to  manage  IT  risks,  and  ensure  that  their  risk-management  strategy 
is  consistently  applied.  However,  no  documentation  is  maintained  to  evidence 
this  evaluation. 

Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  may  not  be  able  to  proactively  monitor  their  IT  risk  as  technology 
evolves  or  as  good  practices  for  protecting  their  environment  change.  A  risk- 
assessment  methodology  that  addresses  the  entire  environment  with  regular  risk 
assessments  would  allow  the  Ministry  to  maintain  continuity  in  managing  risk 
if  staff  lea\  e  or  change. 

Password  controls 
Recommendation 

We  recommend  that  the  Ministry  of  Infrastructure  improve  password 
controls  or  implement  compensating  controls  to  properly  control  access  to 
applications. 

Background 

Password  controls  are  an  integral  part  of  data  security.  They  ensure  that  users 
cannot  make  unauthorized  changes  to  systems,  applications  or  the  data  in  them. 
Passwords  are  needed  to  make  sure  that  only  people  who  hav  e  been  authorized 
can  access  the  business's  critical  applications. 

Criteria:  the  standards  we  used  for  our  audit 

The  National  Institute  of  Standards  and  Technology's  password  standards  are 
considered  good  practice.  We  used  these  standards  to  assess  the  application 
password  controls: 

•  passwords  should  be  at  least  eight  characters  long,  combining  mixed-case 
letters,  numbers  and  non-alphanumeric  characters 

•  users  should  be  required  to  periodically  change  their  passwords 

•  computer  accounts  should  be  automatically  locked  out  after  a  specified 
number  of  failed  login  attempts 

•  management  should  periodically  monitor  and  review  failed  and  successful 
login  attempts 

Our  audit  findings 

The  password  settings  for  the  Facilities  and  Building  Information  System 
(FBIS)  and  the  Contract  Management  System  (CMS)  did  not  meet  the 
established  good  practice  criteria.  While  the  applications  require  a  valid 
username  and  password  combination  to  access  the  system,  the  password  does 
not  have  to  contain  a  minimum  number  of  characters,  and  a  combination  of 
upper  and  lowercase  letters,  numbers  and  non-alphanumeric  characters. 
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Logging  and  monitoring  of  login  attempts  can  reduce  risk  associated  w  ith  weak 
passwords,  but  we  found  no  evidence  that  this  occurs. 

Implications  and  risks  if  recommendation  not  implemented 

Without  appropriate  password  and  access-monitoring  controls  in  place, 
unauthorized  users  may  be  able  to  access  information. 


Financial  statements 

Unqualified  Our  auditor's  opinion  on  the  Ministry  of  Infrastructure's  financial  statements  for  the 

auditor  s  opinion     year  en(jed  March  3 ,  ^  2009  is  unqualified. 

Performance  measures 

Unqualified  The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministrs  "s 

review  2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 

engagement  report 

these  measures. 
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Past 

recommendations 


International  and  Intergovernmental 
Relations 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  vvv 


Unqualified 
auditor's  opinion 


Unqualified 
review 

engagement  report 


Financial  statements 

Our  auditor's  opinion  on  the  Ministry  of  International  and  Intergovernmental 
Relations*  financial  statements  for  the  year  ended  March  31,  2009  is  unqualified. 

Performance  measures 

The  Ministry  engaged  us  to  rex  iew  selected  performance  measures  in  the  Ministry 's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Justice  and  Attorney  General 

Summary 

The  Department  of  Justice  should  clarify  collection  steps  for  judgments  assigned  to 
it  under  the  Motor  Vehicle  Accident  program  and  ensure  that  external  users  of  the 
Justice  Online  Information  Systems  are  following  the  Department's  policies  and 
procedures  for  granting  user  access. 

The  Ministry  has  implemented  the  following  recommendations: 

•  our  2006-2007  recommendation  to  develop  and  document  information 
technology  security  policies — see  page  296 

•  our  2006-2007  recommendation  to  document  and  test  disaster  recovery 
procedures  for  all  information  technology  systems — see  page  296 

•  to  improve  access  controls  over  its  information  systems — see  page  296 

The  Office  of  the  Public  Trustee,  Estates  and  Trusts  has  implemented  our 
recommendation  to  update  administrative  policies  for  client  assets — see  page  297 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1.    Department  of  Justice 

1.1  Motor  vehicle  accident  program — Clarifying  collection  steps 
Recommendation  No.  33 

We  recommend  that  the  Department  of  Justice  clarity  the  collection  steps 
for  judgments  assigned  to  it  under  the  Motor  V  ehicle  Accident  program. 


Victims  can  apply 
to  MVAC  for 
payment 


Background 

The  Motor  Vehicle  Accident  Claims  (MVAC)  branch  of  the  Department  can 
become  involved  when  a  driver  is  in  an  accident  with  the  driver  of  an  uninsured 
vehicle  or  an  unknown  driver.  If  a  judgment  for  personal  injury  is  obtained 
against  the  uninsured  driver,  the  victim  can  apply  to  MVAC  for  payment. 


After  10  years 
judgment  can  be 
renewed 


[f  the  application  is  approved  by  MVAC,  the  judgment  is  assigned  to  the 
MVAC  administrator  who  pays  the  plaintiff  on  behalf  of  the  debtor.  There  are 
payment  limits  established  in  the  Motor  Vehicle  Accident  Claims  Act.  A 


'  R.S.A.  2000.  c.  M-22 
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judgment  remains  in  effect  for  10  years.  However,  the  Ministry  can  apply  to 
renew  the  judgment. 


Department  tracks 
amounts  owing 


The  amount  that  has  to  be  paid  back  to  the  Department  by  the  debtor  is 
proscribed  in  the  judgment.  The  Department  tracks  the  amount  of  debts  owing 
for  each  debtor. 


$159  million  in 
imeolleeted  debts 


At  March  3  I.  2009.  the  Department  had  $159  million  in  uncollected  debts  from 
uninsured  drivers.  Of  this  amount,  $67  million  or  42%  of  total  outstanding 
judgments  were  included  in  a  pending  write-off  category.  This  means  that  these 
files  are  no  longer  included  in  the  active  collection  efforts  taken  by  the 
Ministry.  There  are  about  $20  million  in  new  judgments  that  occur  each  year. 
About  $9  million  of  the  outstanding  judgments  are  classified  as  pending 
\\  rite-offs  each  year. 


Action  can  be 
taken  if  debtor 
docs  not  pay 


MVAC  can  take  several  steps  against  debtors  if  payment  arrangements  arc  not 
made.  These  steps  include  wage  garnishee,  bank  garnishee,  garnishee  of  federal 
government  refunds,  restricting  access  to  motor  vehicle  registrations, 
disqualifying  a  debtor  from  driving  or  placing  a  writ  against  property. 


Four  collectors 


There  are  four  collectors  and  a  collection  supervisor  responsible  for  collecting 
the  amounts  owed  by  the  debtors.  The  collector  and  the  collection  supervisor 
sign  a  form  recommending  and  approving  a  file  for  pending  write-off. 


Criteria:  the  standards  we  used  for  our  audit 

There  should  be  clearly  defined  collection  processes  for  debts  owed  to  the 
Department. 


Collectors  do  not 
consistently  take 
the  same 
collection  steps 


Our  audit  findings 

Clarifying  collection  steps  required  before  judgment  is  classified  as 
pending  write-off 

The  Department  does  not  have  clearly  defined  criteria  for  what  collection  steps 
should  be  taken  before  a  debtor  account  is  classified  as  a  pending  write-off. 

We  examined  20  files  that  were  classified  and  approved  by  the  collection 
supervisor  as  pending  write-off.  We  found  that  the  collectors  do  not 
consistently  take  the  same  collection  steps.  For  example,  in  three  out  of  the 
20  samples,  there  were  no  bankruptcy  checks  performed.  We  also  noted  that  in 
three  out  of  20  samples,  there  were  no  confirmations  received  from  the 
Department  for  licence  suspension.  Also,  it  was  not  clear  to  us  what  steps  must 
be  done  before  this  classification  can  be  made. 
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Not  clear  u  hat 
collection  steps 
were  taken 


The  Department  does  not  ha\e  clearlv  defined  procedures  tor  file  re\  iew  alter  a 
file  has  been  classified  as  a  pending  write-off  All  20  files  we  sampled  had  been 
rex  iewed  within  the  past  12  months.  This  was  evidenced  by  an  electronic  note- 
indicating  the  date  of  the  review.  However,  there  was  a  lack  of  documentation 
indicating  what  specific  collection  steps  were  taken  to  locate  a  debtor  or  ass^s 
the  status  of  a  file. 


No  criteria 


Revenue  could  he 
lost 


Clarifying  criteria  on  renewing  a  judgment 

A  staff  member  decides  w  hether  or  not  to  renew  a  judgment.  How  ever,  there 
are  no  established  criteria  or  procedures  for  w  hether  to  renew  a  judgment  that  is 
about  to  expire.  There  is  no  review  or  approval  of  this  assessment. 

Implications  and  risks  if  recommendation  not  implemented 

There  is  a  risk  of  lost  revenue  w  hen  there  are  inconsistent  collection  activities. 

1 .2  Access  controls 
Recommendation 

We  recommend  that  the  Department  of  Justice  obtain  assurance  that 
organizations  provided  access  to  the  Justice  On-line  Information  Network 
are  following  the  Department's  policies  and  procedures  for  granting  user 
access. 


JOIN  tracks 
information  on 
offender  status 


External  users 
delegated 
responsibility  to 
grant  access 
privileges  to  JOIN 


Background 

The  Justice  On-Line  Information  Network  (JOIN)  application  is  used  by  all 
provincial  police  forces  and  the  courts  to  track  information  on  offender  status.  It 
is  also  used  to  record  fine  payments. 

The  Department  has  delegated  external  organizations  such  as  police  forces 
across  Alberta  with  the  responsibility  to  set  up  JOIN  users.  The  Department 
enters  into  a  memorandum  of  understanding  with  each  external  organization.  It 
has  developed  procedures  to  evaluate  organizations  that  need  access  to  JOIN 
and  only  grants  access  to  organizations  that  have  a  valid  need.  One  or  two  staff 
at  each  organization  are  assigned  with  the  responsibility  of  setting  up  users,  and 
create  user  accounts  for  employees  at  their  organization  that  need  access  to 
JOIN. 


Criteria:  the  standards  that  we  used  for  our  audit 

The  Department  should  have  documented  and  effective  processes  for 
requesting,  establishing,  issuing,  suspending  and  promptly  closing  user  account 
access  to  all  critical  business  applications. 
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Assurance  needed 
that  JOIN  user 
access  polices  are 
followed 


Our  audit  findings 

Once  the  organization  has  been  given  ability  to  set  up  users  in  JOIN,  the 
Department  does  not  obtain  assurance  that  these  organizations  are  following  the 
Department's  policies. 


Offender 
in  formation 


For  example,  the  Department  does  not  have  a  process  to  periodically  confirm 
that  these  organizations  arc: 

•  approving  all  access  before  it  is  granted 

•  ensuring  that  the  access  privileges  issued  are  based  on  business  needs 

•  deleting  access  to  users  that  no  longer  require  access 

Implications  and  risks  if  recommendation  not  implemented 

Inappropriately  assigned  access  could  result  in  the  unauthorized  release  of 
offender  information. 


Ministry-wide 
security  policies 
implemented 


Detailed  disaster 
recovery  plan  in 
place  for  critical 
IT  business 
applications 


Improved  access 
controls 


1.3  Information  technology  security — implemented 

In  our  2006-2007  Annual  Report  (No.  31— vol.  2,  page  128),  we  recommended 
that  the  Ministry  of  Justice  and  Attorney  General  develop  and  document 
information  technology  security  policies.  The  Ministry  now  has  Ministry-wide 
security  policies  and  is  establishing  a  training  application  that  provides  IT 
security  training  for  Ministry  staff. 

1.4  Disaster  recovery  plan — implemented 

In  our  2006-2007  Annua/  Report  (vol.  2— page  129)  we  recommended  that  the 
Ministry  of  Justice  and  Attorney  General  document  and  test  disaster  recovery 
procedures  for  all  information  technology  systems.  The  Ministry  implemented 
this  recommendation  by  developing  a  detailed  disaster  recovery  plan  for  its 
critical  business  applications. 

1.5  Information  technology  access  controls— implemented 

In  our  2006-2007  Annua/  Report  (vol.  2— page  130)  we  recommended  that  the 
Ministry  of  Justice  and  Attorney  General  improve  access  controls  over  its 
information  systems.  We  consider  this  recommendation  implemented  as  the 
Ministry  has  strengthened  its  password  controls  and  regularly  reviews  user 
access  accounts  for  the  majority  if  its  systems  that  have  internal  users.  As 
indicated  in  our  access  control  recommendation  on  page  295,  JOIN  has  internal 
and  external  users  and  our  findings  are  included  in  a  separate  recommendation. 
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2.    Office  of  the  Public  Trustee,  Estates  and  Trusts— Administrative  policy 
changes — implemented 

Policies  are  |n  our  2007-2008  Annual  Report  (page  33  1 )  we  recommended  the  (  MYice  of  the 

updatcd  Public  Trustee,  Estates  and  Trusts  update  administrative  policies  for  client 

assets.  These  policies  have  been  updatcd.  and  therefore,  our  recommendation 

has  been  implemented. 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  financial  statements  for  the  year  ended 

auditor's  opinions    March  3 1  ^  2Q09  of  the  Ministry  and  the  office  of  the  Public  Trustee.  Estates  and 

Trusts  are  unqualified. 

Performance  measures 

Unqualified  Tne  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

review  2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 

engagement  report  r 
these  measures. 
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Legislative  Assembly 

Financial  statements 

Unqualified  We  issued  unqualified  auditor's  opinions  on  the  financial  statements  of  the 

auditor's  opinions     following  Offices  of  the  Legislative  Assembly  for  the  year  ended  March  3 1 ,  2009: 

•  Legislative  Assembly  Office 

•  Office  of  the  Chief  Electoral  Officer 

•  Office  of  the  Lthics  Commissioner 

•  Office  of  the  Information  and  Priv  acy  Commissioner 

•  Office  of  the  Ombudsman 

A  private  sector  firm  of  chartered  accountants  appointed  by  the  Standing  Committee 
on  Legislative  Offices  audited  our  financial  statements. 
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Municipal  Affairs 

Summary 

The  Department  of  Municipal  Affairs  should: 

•  set  timelines  for  key  steps  that  must  be  performed  to  receive  federal 
government  funds  to  reimburse  disaster  recovery'  costs — see  below 

•  use  current  information  on  disaster  recover  costs  to  periodically  assess  and.  if 
necessary,  adjust  estimates  of  costs  and  recoveries — see  below 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

Disaster  Recovery  Program 
Recommendation  No.  34 

We  recommend  that  the  the  Department  of  Municipal  Affairs  improve  its 
management  of  the  disaster  recovery  program  by: 

•  setting  timelines  for  key  steps  that  must  be  performed  before  federal 
government  funding  can  be  received 

•  periodically  assessing  and  adjusting  costs  and  recovery  estimates  based  on 
current  information 


Ministry  provides 
natural  disaster 
funding 


Background 

Recovering  the  costs  of  disasters 

The  Department  of  Municipal  Affairs  provides  funding  for  disasters  that  occur  in 
the  Province  of  Alberta.  The  funding  is  provided  to  individuals,  businesses,  First 
Nations,  municipalities,  and  other  Government  of  Alberta  ministries.  The  costs 
reimbursed  to  these  individuals  and  organizations,  are  based  on  actual  eligible  costs 
incurred  to  repair  the  damage. 


Certain  costs 
recov  erable  under 
federal  program 


A  portion  of  these  costs  are  recoverable  from  the  federal  government's  Disaster 
Financial  Assistance  Arrangements  (DFAA)  program.  The  federal  government  will 
provide  financial  assistance  when  eligible  expenditures  exceed  $1  per  capita  based 
on  the  provincial  population.  The  Province  has  to  apply  to  the  federal  government  to 
determine  if  a  disaster  is  eligible  for  recovery.  This  request  for  financial  assistance 
must  be  made  by  the  province  within  six  months  of  the  disaster. 
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Federal 
government 
conducts  program 
specific  audits 


The  federal  government  conducts  audits  to  assess  if  the  costs  submitted  by  the 
Department  arc  eligible  for  recovery  under  federal  guidelines.  The  Department 
must  request  this  audit  in  advance.  For  large  disasters,  the  federal  government  may 
conduct  an  interim  audit  and  then  advance  funds  at  the  request  of  the  Department. 
When  the  project  is  complete,  a  final  audit  is  performed  and  any  remaining  funds 
arc  paid  to  the  Department.  The  audits  are  performed  at  the  request  of  the 
Department. 


Repairs  of 
damages  caused 
by  disaster  can 
take  several  years 
to  complete 


It  can  take  years  to  fully  repair  damage  resulting  from  a  flood  or  other  disaster. 
Municipal  Affairs  hires  a  contractor  to  estimate  the  costs,  administer  these  payments 
and  record  the  costs  for  each  disaster.  Under  the  new  DFAA  guidelines,  for  disasters 
occurring  after  January  1,  2008.  there  is  a  five-year  time  limit  for  the  completion  of 
repairs. 


Accounts 
receivable  from 
federal 
government 
estimated  at 
SI  15  million 


Estimates  included  in  the  financial  reporting 

The  Department  records  the  liability  to  repair  the  damage  after  the  disaster  has 
occurred  and  the  funding  has  been  approved  by  the  Legislature.  The  amount 
recorded  is  based  on  an  estimate  of  the  reimbursable  costs.  For  the  year  ended 
March  3 1 .  2009,  the  Department  has  estimated  total  accounts  receivable  from  the 
federal  gov  ernment  of  $1 15  million  for  all  disaster  programs.  The  majority  of  these 
receivables  are  for  the  2004  and  2005  disasters,  $10  million  and  $88  million, 
respectively. 

The  accounts  receivable  is  based  on  total  expenses  reimbursed  less  an  estimate  for 
ineligible  amounts. 


In  2008-2009  floods  occurred  in  Alberta.  One  of  the  areas  that  had  flood  damage 
was  south  western  Alberta.  The  costs  to  repair  the  damages  from  this  flood  are 
estimated  at  $9.3  million. 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should: 

•  apply  for  recoveries  prior  to  the  deadline 

•  ensure  estimates  reflect  the  most  accurate  information  available  to  management 
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Application  tor 
$3.4  million  in 
recoveries  not 
submitted  to 
federal 
go\  eminent 
before  application 
deadline 


Our  audit  findings 

Target  dates — applications 

Although  there  was  dialogue  with  the  federal  go\  eminent,  the  required  formal 
application  was  not  submitted  to  the  federal  government  on  or  prior  to  the 
application  deadline.  On  July  30.  2008.  the  Province  of  Alberta  approved  funding  to 
repair  the  damages  caused  by  the  May  2008  flood  in  southwestern  Alberta,  through 
an  Order1  in  Council.  The  Department  submitted  their  formal  request  for  the  disaster 
in  December  of  2008,  five  months  after  the  funding  was  approved.  To  comply  w  ith 
the  deadline,  the  application  should  have  been  submitted  to  the  federal  government 
by  the  end  of  November  2008.  six  months  after  the  disaster  occurred.  The  estimated 
recovery  for  this  disaster  is  $3.4  million.  The  Department  has  requested  the  federal 
government  to  reconsider  its  application,  and  discussions  were  ongoing  when  we 
completed  our  audit. 


Targets  dates  not 
established  for 
requesting 
required  audits 


Request  for  audits 

The  federal  government  will  not  advance  funding  until  an  interim  audit  of  the 
program  cost  is  completed.  For  the  2004  disaster,  the  Department  received  an 
advance  from  the  federal  government  of  $2.5  million  in  2005  2006.  There  is  still 
$10  million  in  outstanding  recoveries  on  this  project.  The  Department  has  not  yet  set 
targets  dates  for  requesting  an  audit  for  either  additional  interim  funding  or  the  final 
payment. 

For  the  2005  disaster,  the  Department  has  requested  and  received  three  interim 
audits  by  the  federal  government.  The  results  of  the  third  interim  audit  done  in 
February  2009  are  not  yet  finalized.  It  is  not  clear  what  the  expected  timelines  are 
for  completing  the  project  and  requesting  the  final  audit. 


Estimates  of  costs 
and  recoveries  not 
adjusted  for 
significant 
fluctuations  based 
on  actual  cost  or 
new  information 


Estimates 

The  Department  does  not  have  a  formal  process  for  determining  when  accrued 
liabilities  to  repair  the  damage  or  expected  recoveries  should  be  adjusted  on  the 
financial  statements  to  reflect  the  expected  project  outcomes.  The  estimate  of  total 
costs  and  recoveries  is  based  on  initial  assessments  of  the  damage  after  it  has 
occurred.  However,  the  expected  costs  to  complete  projects  change  as  actual  costs 
are  incurred.  For  the  2005  disaster,  there  is  a  $13  million  accrued  liability  for 
completion  of  the  project,  but  estimates  prepared  by  management  indicate  the  costs 
may  be  significantly  less.  Expected  recoveries  are  also  less  than  the  original 
estimate.  Management  has  decided  to  leave  the  initial  estimate  for  both  the  accounts 
receivable  and  accrued  liability  on  its  financial  statements  until  the  project  is  fully 
complete.  Management  should  assess  if  this  practice  is  appropriate  for  larger 
disasters  which  are  more  difficult  to  accurately  estimate  at  the  time  they  occur. 


1  O.C.  360/2008  and  O.C.  362/2008  both  dated  July  30,  2008. 
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Implications  and  risks  if  recommendation  not  implemented 

Available  federal  funding  may  not  be  obtained,  or  not  received,  in  a  timely  manner. 


Financial  statements 

Unqualified  Qur  auditor's  opinions  on  the  Ministry's  and  Department's  financial  statements  for 

auditor  s  opinions      .  .    .  .  .      .  . 

the  year  ended  March  31,  2009  are  unqualified. 

Our  auditor's  reports  for  the  year  ended  December  3 1 ,  2008,  on  the  following 
financial  statements  are  unqualified: 

•  Improvement  Districts  4.  9,  12,  13  and  24 

•  Kananaskis  Improvement  District 

•  Special  Areas  Trust  Account 


Unqualified 
review 

engagement  report 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Seniors  and  Community  Supports 

Summary 

The  Department's  Program  Branch,  working  with  Community  Boards,  has: 

•  implemented  our  2003-2004  recommendation  to  reduce  the  risk  of  sen  ice 
providers  breaching  contracts — see  page  306 

•  implemented  our  2003  2004  recommendation  to  update  and  impro\e  their 
contracting  policies  and  procedures — see  page  306 

•  made  satisfactory  progress  in  implementing  our  2003  2004  recommendation  to 
strengthen  the  monitoring  and  evaluation  of  the  performance  of  service 
providers — see  page  308 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Two 

recommendations 
implemented 


Satisfactory 
progress  for 
monitoring  results 


Our  audit  findings  and  recommendations 

1 .   Persons  with  Developmental  Disabilities  Boards'  contracting  systems 
1.1  Summary 

In  2004.  w  e  performed  an  audit  of  the  Persons  with  Developmental  Disabilities 
(PDD)  Provincial  Board  and  Community  Boards"  systems  for  contract 
management.  We  made  three  recommendations  to  the  Boards  to  improve 
contracting  policies  and  processes  for  monitoring  service  providers. 

The  Department's  PDD  Program  Branch  and  Community  Boards  have 
implemented  significant  changes  to  business  and  contracting  processes  that 
improve  both  the  accountability  of  service  providers  and  monitoring  processes. 
They  have  implemented  our  recommendation  to  conduct  risk  assessments  and 
audit  service  providers.  The  Boards  have  also  implemented  new  contracting 
policies  and  processes. 

The  Community  Boards  have  made  satisfactory  progress  in  improving  their 
systems  for  monitoring  service  providers  by  examining  financial  reporting  of 
all  service  prov  iders  and  developing  standardized  processes  to  evaluate  and 
monitor  performance. 

To  finish  implementing  our  recommendation,  the  Boards  need  to  work  with  the 
Program  Branch  to  develop  a  common  approach  to  developing  service  provider 
audit  plans,  and  consistently  apply  monitoring  activities  to  new  contracts. 
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2.    Findings  and  recommendations 
2.1 .  Risk  assessments — implemented 
Background 

In  our  2003-2004  Annual  Report  (No.  8 — page  107)  we  recommended  that  the 
Program  Branch,  in  conjunction  with  the  six  Community  Boards,  reduce  the 
risk  of  service  providers  breaching  contracts  by: 

•  performing  a  risk  assessment  to  identify  service  providers  with  a  high  risk 
of  breaching  contracts;  and 

•  auditing  high-risk  service  providers  to  ensure  that  they  spend  funding 
according  to  their  contracts  and  that  they  meet  the  other  terms  of  their 
contracts. 


Community  Board 
responsibility  to 
audit  service 
providers 


Individual  Community  Boards  are  responsible  for  engaging  auditors  to  audit 
service  providers.  The  Program  Branch  also  provides  staff  to  assist  Boards  in 
completing  a  limited  number  of  service  provider  audits  each  year. 


60  agency  audits: 

recovered 

S 1 .3  million 


Risk  assessments 


Our  audit  findings 

In  2004,  Community  Boards  engaged  the  Office  of  the  Chief  Internal  Auditor 
(later  Corporate  Internal  Audit  Services)  to  perform  audits  on  60  agencies. 
These  audits  were  carried  out  between  2004  and  2006.  As  a  result  of  the  audits, 
PDD  recov  ered  $1.3  million  from  16  service  providers.  An  additional 
$3.4  million  is  before  the  courts.  Management  chose  not  to  pursue  collection  of 
$449,000  from  five  service  provider  agencies  on  the  grounds  that  collection 
w  as  unlikely  and  it  w  ould  be  uneconomic  to  pursue  collection. 

In  2005,  the  Community  Boards  implemented  a  risk  assessment  process  to 
identify  high  risk  service  providers.  The  risk  assessment  examined  and  scored 
numerous  factors  related  to  agency  governance,  finances  and  operations.  Since 
2006.  Community  Boards  have  assessed  risks  and  performed  audits  as  a  result 
of  specifically  identified  issues  that  arise  through  monitoring  activities  or  public 
complaints.  Community  Boards  completed  39  additional  audits  since  2006,  for 
a  total  of  99  serv  ice  provider  audits. 


2.2.  Improving  policies  and  procedures — implemented 
Background 

In  our  2003-2004  Annua/  Report  (page  109),  we  recommended  that  the 
Program  Branch  work  with  the  Community  Boards  to  update  and  improve  their 
contracting  policies  and  procedures. 
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New  policies 
implemented 


Service  provider 
monitoring  policy 


Our  audit  findings 

The  Program  Branch,  working  with  the  Community  Boards,  has  strengthened 
contracting  policies  and  procedures  by  implementing: 
a  service  provider  monitoring  policy 
a  conflict  of  interest  reporting  policy 
a  contract  administration  policy 
new  contract  templates 

changes  to  service  prov  ider  compensation  processes. 

Staff  have  been  trained  on  the  new  policies  and  procedures.  We  found  that 
Boards'  staff  applied  the  new  contracting  policies. 

Contracting  policy  changes 

In  2005.  a  new  service  provider  monitoring  policy  was  approved.  This  policy 
provides  guidance  to  staff  in  monitoring  key  areas  of  service  provider 
performance  such  as  ensuring  that  service  agreements  arc  in  place  with 
individuals.  Creating  Excellence  Together  certification  is  in  place,  and  financial 
reporting  requirements  are  met. 

In  2007.  the  Ministry  of  Seniors  and  Community  Supports  implemented  a 
conflict  of  interest  reporting  policy  applicable  to  all  entities  within  the  ministry. 


Contract 

administration 

policy 


A  new  Persons  with  Developmental  Disabilities  Contracting  Administration 
Policy  was  put  into  effect  on  July  I,  2008.  The  policy  provides  guidance  on: 
soliciting  bids  or  tenders 
selecting  contractors 

preparing  business  cases  for  sole-sourcing  arrangements 
preparing,  executing  and  approving  contracts 
contract  management  and  administrative  practices 


Common  set  of 
accountability 
standards  for 
service  providers 


Contracting  changes 

As  at  March  31,  2009  Community  Boards  were  in  the  process  of  eliminating 
Individual  Funding  (IF)  arrangements.  Individuals  receiving  services  from  this 
service  delivery  alternative,  are  transferring  to  contract  funding  or  family 
managed  support  arrangements.  All  service  provider  contracts  entered  into  after 
March  3 1 .  2009  use  a  common  template.  Consequently,  all  service  prov  iders 
are  subject  to  a  common  set  of  accountabilities  for  the  use  of  funds  that 
Community  Boards  provide. 


Payments  based 
on  services 
received 


Payment  mechanisms  have  also  changed.  The  new  contract  requires  contract 
service  providers  to  bill  monthly  for  the  actual  services  provided  to  individuals. 
This  change  reduces  the  risk  of  service  prov  iders  accumulating  surplus  funds. 
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Staff  training  and  guidance 
ining  provided  Training  sessions  were  held  for  Community  Board  staff  in  June  2007  and  again 

in  October/November  2007.  Additional  guidance  is  available  on  the  PDD 
intranet  to  assist  staff  in  contracting  activities.  The  Program  Branch  continues 
to  work  with  Boards  to  develop  policy  and  support  for  staff. 

2.3.  Monitoring  and  evaluation  of  service  providers — satisfactory  progress 
Background 

In  our  2003-2004  Annua/  Report  (No.  9 — page  1 1 1 ),  we  recommended  that  the 
Program  Branch  work  with  the  Community  Boards  to  strengthen  the 
monitoring  and  evaluation  of  the  performance  of  service  providers  by: 

•  requiring  individual  funding  sen  ice  providers  to  provide  adequate 
financial  reporting 

•  obtaining  annual  financial  statements  to  evaluate  the  financial 
siistainability  of  critical  service  providers 

•  implementing  a  sustainable,  risk-based  internal  audit  plan 

•  developing  and  implementing  standard  procedures  to  be  followed  when 
Community  Board  staff  are  in  contact  with  service  providers 

•  implementing  a  method  to  evaluate  service  provider  performance 


General  purpose 
financial 
statements 
required 


Our  audit  findings 

Monitoring  financial  reporting 

Beginning  in  2006,  all  service  providers,  including  those  providing  services 
under  the  IF  stream,  were  required  to  provide  general  purpose  financial 
statements.  In  2008,  the  Community  Boards  began  the  elimination  of  the  IF 
sen  ice  delivery  stream.  All  service  provider  agencies  will  be  required  to  enter 
into  a  new  contract.  The  new  service  provider  agency  contract  requires  all 
sen  ice  providers  to  submit  financial  information  in  prescribed  forms  and 
annual  financial  statements. 


Family  managed  support  agreements  require  families  to  maintain  specific 
financial  information  about  the  services  that  have  been  contracted  and  delivered 
and  to  provide  Community  Boards  with  annual  financial  information  in  a 
prescribed  form. 


Boards  review 

financial 

information 


We  examined  financial  information  rev  iews  at  each  of  the  Community  Boards 
for  the  1 2  months  ended  March  3 1 ,  2008.  We  noted  that  service  providers  were 
not  consistently  providing  the  financial  information  within  the  prescribed 
120  day  time  limit.  Community  Board  staff  followed  up  late  submissions  and 
completed  the  financial  reviews. 
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Financial 
statement  review 
results 


Community  Boards  maintained  summary  information  of  financial  reviews.  This 
information  identified  contracts  where  the  cost  of  sen  ices  provided  were  less 
than  the  amount  funded.  Community  Boards  collect  these  surpluses  through 
receiving  a  refund  cheque  or  reducing  subsequent  contract  payments.  Detailed 
documentation  of  the  financial  statement  reviews  was  not  consistent!) 
maintained  on  file.  A  primary  purpose  of  conducting  financial  reviews  is  to 
identity  agencies  that  may  be  in  financial  difficult}  ;  however,  we  did  not  see 
evidence  that  Community  Boards  use  standard  criteria  against  which  the 
financial  position  of  serv  ice  prov  iders  should  be  assessed. 


To  implement  the  recommendation,  the  Community  Boards  need  to  work  w  ith 
the  Program  Branch  to  develop  criteria  to  consistently  assess  service  prov  ider 
financial  health. 


Different 
approaches  to 
dev  eloping  audit 
plans 


Sustainable  risk  based  audit  plan 

While  the  Community  Boards  have  implemented  a  common  enterprise  risk 
management  process,  we  did  not  see  evidence  that  the  Community  Boards  have 
consistent  plans  to  deal  with  ongoing  audits  of  service  prov  iders.  Some 
Community  Boards  arrange  audits  in  response  to  issues  raised  from  monitoring 
activ  ities,  others  advocate  introducing  an  element  of  randomness  w  hen 
selecting  agencies  for  audit. 


To  implement  the  recommendation,  the  Community  Boards  need  to  work  vv  ith 
the  Program  Branch  to  develop  a  common  approach  to  dev  eloping  serv  ice 
provider  audit  plans. 

Service  provider  performance  assessment 

The  2005  monitoring  policy  lays  out  key  areas  of  service  provider  monitoring, 
as  well  as  documentation  requirements  to  demonstrate  that  monitoring  has 
taken  place.  Community  Boards  were  performing  monitoring  in  accordance 
vv  ith  the  policy;  however  evidence  of  monitoring  activ  ities  was  not  consistently 
maintained  in  accordance  with  the  policy. 


Contracts  contain 

performance 

requirements 


The  new  contracts  contain  several  requirements  that  are  useful  for  assessing 
service  provider  performance.  Service  prov  iders  must  obtain  certification  under 
the  Creating  Excellence  Together  standards.  These  standards  include  quality  of 
life,  quality  of  service,  and  organizational  standards.  New  contract  terms  and 
conditions  require  that  an  Individual  Service  Agreement  be  in  place  for  each 
individual  receiving  service  through  a  sen  ice  pro\  ider  agency. 


The  Boards  have  not  yet  had  an  opportunity  to  monitor  service  provider 
compliance  w  ith  the  new  contracts.  To  implement  the  recommendation,  we  will 
need  to  examine  how  the  Boards  monitor  the  new  contracts. 
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Financial  statements 

^uXr'fopinions    ^  auditofs  °Pinions  on  the  Ministry  and  Department  financial  statements  for  the 
year  ended  March  31,  2009  are  unqualified. 

Our  auditor's  opinions  on  the  financial  statements  of  the  following  for  the  year 
ended  March  31,  2009  are  unqualified: 

Persons  with  Development  Disabilities  Calgary  Region  Board 
Persons  with  Development  Disabilities  Central  Region  Board 
Persons  with  Development  Disabilities  Edmonton  Region  Board 
Persons  with  Development  Disabilities  Northeast  Region  Board 
Persons  with  Development  Disabilities  Northwest  Region  Board 
Persons  with  Development  Disabilities  South  Region  Board 

Our  auditor's  opinion  on  the  financial  statements  of  the  Calgary  Region  Community 
Board  has  an  information  paragraph  reporting  that  expenses  include  payments  by 
the  Community  Board  for  services  to  indiv  iduals  whose  disability  did  not  meet  the 
legal  definition  of  a  developmental  disability. 


Unqualified 
review 

engagement  report 

these  measures 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
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Service  Alberta 

Summary 

The  Ministry  of  Service  Alberta  should: 

•  complete  and  test  an  information  technology  resumption  plan — see  below 

•  improve  its  process  to  pro\  ide  timely  supporting  documentation  on  payroll 
information  that  it  maintains  for  itself  and  its  client  ministries — see  page  3  12 

The  Ministry  has: 

•  made  satisfactory  progress  implementing  our  2003  2004  recommendation 
relating  to  contracting  policies  and  procedures — see  page  313 

•  implemented  our  2005  2006  recommendation  to  clearly  define  its  performance 
measures  and  improve  its  processes  to  track  and  report  results — see  page  3 1 5 

•  implemented  our  October  2008  recommendation  to  securely  store  confidential 
information — see  page  316 

•  implemented  our  2004  recommendation  related  to  implementing  a  risk 
assessment  for  Central  Data  Centre  assets — see  page  317 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

Information  technology  resumption  plan 
Recommendation  No.  35 

\\  e  recommend  that  the  Ministry  of  Sen  ice  Alberta  complete  and  test  an 
information  technology  resumption  plan. 

Background 

Service  Alberta  delivers  over  30  enterprise  services  to  different  ministries.  It 
uses  third  party  service  prov  iders  for  some  of  these  services,  f  or  example,  the 
payroll  module  in  the  Government  of  Alberta's  financial  system,  IMAGIS.  is 
outsourced  to  one  service  provider,  while  the  Ministry's  core  network 
connection  is  outsourced  to  another.  Information  technology  (IT)  services  that 
Service  Alberta  delivers  include  active  directory  services,  mainframe  services, 
enterprise  print  services,  network  and  infrastructure  services,  voice  services  and 
support  for  corporate  server  env  ironments  running  on  multiple  platforms  such 
as  Microsoft  Windows,  UNIX,  Solaris  and  AIX. 


Service  Alberta 
delivers  over  30 
enterprise  services 
to  client  ministries 


1. 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


31 


Financial  Statement  and  Other  Assurance  Audits 


Service  Alberta 


Services  delivered 
through  two  data 
centres 


IT  resumption 
plan  only  partially 
documented 


Service  Alberta 
should  document  a 
complete  IT 
resumption  plan 


T  hese  services  are  mainly  provided  through  the  Edmonton  data  centre.  Service 
Alberta  has  a  secondary  data  centre  in  Calgary.  The  Edmonton  and  Calgary 
data  centres  are  redundant  sites  that  support  each  other,  and  provide  a  business 
continuity  solution  for  critical  and  vital  services.  Edmonton  acts  as  the  recovery 
site  for  critical  and  vital  services  hosted  out  of  Calgary,  and  Calgary  is  the 
recovery  site  for  Edmonton. 

Service  Alberta  partially  documented  an  IT  resumption  plan  for  its  Edmonton 
Data  Centre  in  2002;  it  was  last  updated  in  2006.  An  IT  resumption  plan  is  a  set 
of  documents,  instructions,  and  procedures  that  describe  how  IT  business 
processes  will  be  restored  after  a  significant  disruption  has  occurred. 

Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should  have  a  documented  IT  resumption  plan.  This  plan 
should  include  control  processes  to: 

•  ensure  that  all  critical  services  and  systems  supporting  these  services  are 
identified  in  the  plan  and  that  the  timelines  to  resume  business  are  agreed 
to  by  all  affected  groups 

•  regularly  test  the  resumption  plan  to  ensure  it  is  capable  of  restoring 
necessary  services  and  systems  to  within  the  agreed  timelines 

•  update  the  resumption  plan  after  testing  and  communicate  changes  to  all 
those  affected 


Service  Alberta 
has  not  tested  it's 
overall  IT 
resumption  plan 


Our  audit  findings 

Set  s  ice  Alberta  has  tested  its  ability  to  resume  some  critical  services,  including 
its  service  desk  and  some  mainframe  applications  it  hosts  for  client  ministries. 
I  low  e\  er.  it  did  not  test  all  mainframe  applications,  nor  did  it  complete, 
approve  or  test  its  overall  IT  resumption  plan  for  its  computing  centre  in 
Edmonton. 


Implications  and  risks  if  recommendation  is  not  completed 

Service  Alberta  may  not  be  able  to  resume  critical  and  vital  services,  such  as 
remote  access,  authentication  services,  network  operations  and  data  centre 
operations  within  expected  timelines. 

2.    Payroll  review  processes 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  improve  its  process  to 
provide  timely  supporting  documentation  on  payroll  information  that  it 
maintains  for  itself  and  its  client  ministries. 


Ability  to  resume 
critical  services 
unconfirmed 
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Serv  ice  Alberta 
processes  payroll 
for  go\  eminent 
departments 


Background 

Service  Alberta's  pay  and  benefit  team  is  responsible  for  payroll  processing  for 
government  departments.  The  team  must  \erify  approval  of  employees' 
timesheets  before  processing  any  payroll  payments.  As  part  of  the  monthly 
payroll  review,  the  accounting  officer  uses  human  resources  management 
system  (HRMS)  queries  to  select  unusual  or  large  payroll  payments  for 
investiuation. 


Availability  of 
timely  and 
complete 
documentation  is 
key  to  completion 
of  reviews 


Supporting 
documents  for 
rev  ievvs  not 
prov  ided  promptly 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should  properly  maintain  and  store  all  documents  that  support 
payroll  processing.  The  availability  of  timely  and  complete  documentation  will 
ensure  that  Service  Alberta's  own  accounting  officer  and  its  client  ministries' 
accounting  officers  can  complete  quality  payroll  reviews. 

Our  audit  findings 

We  examined  Service  Alberta's  payroll  review  process  for  two  selected 
months.  We  noted  that  the  accounting  officer  did  not  receive  all  supporting 
documents  in  a  timely  manner  for  items  selected  for  review — for 
November  2008,  the  payroll  team  could  only  promptly  provide  supporting 
documents  for  1 1  of  14  payroll  items  selected,  and  for  only  five  of  12  payroll 
items  selected  for  December  2008.  As  a  result,  the  accounting  officer  could  not 
complete  the  necessary  review  s  of  all  selected  transactions. 


We  extended  our  testing  to  examine  Service  Alberta's  payroll  process  for  a 
client  ministry.  In  February  2009,  we  noted  that  the  client  ministry's  accounting 
officer  could  only  complete  the  review  from  April  to  September  2008  because 
the  requested  supporting  documents  were  not  provided  promptly  by  Service 
Alberta. 


Implications  and  risks  if  recommendation  not  implemented 

•  without  adequate  review  of  payroll  processing.  Serv  ice  Alberta  could  make 
inaccurate  or  unauthorized  payments 

•  without  a  proper  process  to  maintain  and  promptly  provide  payroll 
documentation  for  itself  and  its  client  ministries  for  review.  Service  Alberta 
is  not  meeting  its  obligations  as  a  service  provider 

3.    Contracting  policies  and  procedures — satisfactory  progress 
Background 

In  our  2003  2004  Annual  Report  (No.  20 — page  1 77).  we  recommended  that 
the  Ministry  of  Service  Alberta  develop  comprehensiv  e  contracting  policies  and 
procedures,  train  its  staff  on  how  to  follow  the  policies  and  procedures  and 
monitor  staff  compliance  with  them. 


Report  of  the  Auditor  General  of  Alberta                                               ^  3 
October  2009  '  


Financial  Statement  and  Other  Assurance  Audits 


Service  Alberta 


In  our  2004-2005  Annual  Report  (page  282),  we  reported  that  the  Ministry  had 
put  in  place  new  contracting  policies  and  procedures  and  established  a  Contract 
Review  C  ommittee  (C  ommittee). 


Staff  compliance 
with  contracting 
policies  and 
procedures,  and  a 
process  to  deal 
with  exceptions 
are  key 


In  our  2005-2006  Annual  Report  (vol.  2 — page  170),  we  reported  that  the 
Ministry  continued  to  make  satisfactory  progress  in  improving  its  contracting 
systems.  We  noted  that,  to  finish  implementing  our  recommendation,  the 
Ministry  needed  to  demonstrate  staff  compliance  with  all  contracting  policies 
and  procedures,  set  a  realistic  timeline  for  the  Committee  to  review  and 
comment  on  contract  packages,  and  establish  a  process  to  deal  with  exceptions. 


Contract 

Management  Unit 
monitors  staff 
compliance 


Our  audit  findings 

The  Ministry's  contract  for  services  policy  outlines  contracting  procedures  that 
comply  with  the  Agreement  on  Internal  Trade  (AIT)  and  the  Trade, 
Investment  and  Labour  Mobility  Agreement  (TILMA).  The  policy  requires  that: 

•  all  contracts  in  the  amount  of  $25,000  or  more  be  presented  to  the  Contract 
Re\  icw  Committee  for  approval 

•  all  contracts  o\  er  $75,000  go  through  a  legal  review  process 

•  the  Committee  must  brief  the  Deputy  Minister  on  all  contracts  or 
amendments  over$l  million 

•  urgent  contracts  may  be  approved  online,  in  which  case  the  contracts  must 
ha\  e  approval  from  at  least  three  Committee  members 

The  Ministry's  Contract  Management  Unit  (Unit),  established  in  April  2007,  is 
responsible  for  monitoring  contract  compliance,  reviewing  and  revising  the 
contract  policy.  This  Unit  conducts  annual  audits  on  a  sample  of  contracts 
(45  in  2007  2008,  25  in  2008-2009),  communicates  its  findings  on 
non-compliance  to  contract  managers,  and  reports  its  findings  to  the  Contract 
Re\  icw  Committee. 


Service  Alberta 
needs  to  deal  with 
non-compliance 


Effective  formal 
training  to  staff  is 
key 


Overall,  while  the  Unit  is  effective  in  identifying  instances  of  non-compliance, 
it  lacks  the  mandate  needed  to  reinforce  contract  managers'  compliance  with 
the  contracting  policy.  Nor  does  the  Ministry  have  a  process  in  place  to  deal 
with  non-compliance. 

The  Ministry  also  updated  the  contracting  policy  and  put  it  into  practice 
effective  April  1,  2007.  We  noted  that  formal  training  for  contract  managers 
\\  as  provided  in  December  2008,  when  the  Ministry  offered  an  expenditure 
officer  refresher  course.  The  course  included  an  explanation  of  the  significance 
of  contract  management  in  the  Ministry,  methods  of  sourcing  and  the  role  of  the 
Contract  Review  Committee.  The  Ministry  has  over  50  contract  managers,  of 
which  26  attended  the  course.  However,  when  we  conducted  interviews  with  a 
sample  of  contract  managers,  we  noted  that  six  of  nine  were  either  unaware  of 
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Sen  ice  Alberta 
should  define  and 
report  its 
performance 
measures 


the  policy  that  has  been  in  force  or  of  the  thresholds  for  contracts  under  the  A 1 1 
and  TILMA.  Thus,  even  though  the  course  was  offered,  its  effectiveness  is 
questionable. 

To  finish  implementing  our  recommendation,  the  Ministry  needs  to: 

•  establish  a  process  to  deal  with  instances  of  non-compliance 

•  reinforce  staff  compliance  with  contracting  policies  and  procedures  In 
providing  effective  continuing  education 

4.    Performance  measures  systems — implemented 
Background 

In  previous  years,  we  recommended  that  the  Ministry  of  Service  Alberta  cleark 
define  its  performance  measures,  and  improve  its  processes  to  track  and  report 
results.  In  our  2005-2006  Annual  Report  (vol.  2— page  164),  we  reported  that 
the  Ministry  had  made  satisfactory  progress  and  that,  to  finish  implementing 
our  recommendation,  the  Ministry  had  to  develop  a  performance  measure 
showing  its  contribution  in  improving  efficiency  in  the  Alberta  government  and 
across  ministries. 


Sen  ice  Alberta 
measures  its 
shared  serv  ices 
delivery 


Efficiency 
achieved  is 
measured 


A  new  measure  on 
client  satisfaction 
developed 


Our  audit  findings 

We  reviewed  the  performance  measures  in  the  Ministry's  recent  business  plans 
and  annual  reports,  and  internal  operational  measures  and  reporting  processes  to 
see  if  the  Ministry  has  measured  and  demonstrated  its  contribution  to  improving 
efficiency  of  cross-ministry  services. 

The  Ministry's  2008-201 1  Business  Plan  includes  Excellence  in  Delivering 
Shared  Services  to  Ministries  and  Partners  as  one  of  its  goals.  The  Ministry 
will  measure  its  progress  in  contributing  to  government  efficiency  through 
technology  adoption  and  integration  using  two  performance  measures: 

•  percentage  of  invoices  paid  electronically 

•  percentage  of  clients  satisfied  with  services  received  from  Service  Alberta 

Percentage  of  invoices  paid  electronically — measures  the  efficiencies  achie\  ed 
across  ministries  by  using  electronic  payment  of  invoices,  a  shared  service  that 
the  Ministry  provides.  This  convenience  is  expected  ultimately  to  decrease  the 
time  ministries  spend  on  administrative  tasks. 

Percentage  of  clients  satisfied  with  services  received  from  Service  Alberta— 
is  a  new  performance  measure  that  reports  the  percentage  of  the  Ministry  of 
Serv  ice  Alberta's  client  ministries  who  are  satisfied  with  cross-ministry 
services  such  as  accounts  payable,  revenue,  pay  and  benefits,  mail  and  logistics, 
email,  records  management,  library  service,  fleet  management  and  web  server 
support.  Satisfaction  with  the  timeliness,  accuracy  and  accessibility  will 
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( Committee 

established  to 

ev  aluate  measures 


Service  Alberta 
processes 
confidential 
information 


Documents 
archived  for  seven 
years,  then 
destroyed 


Confidential 
information  now 
securely  stored 


5. 


demonstrate  efficient  execution  of  the  services  that  have  been  integrated  across 
the  Alberta  government.  This  measure  will  be  reported  for  the  first  time  in  the 
Ministry  of  Serv  ice  Alberta's  2008-2009  annual  report.  The  Ministry  is  also 
part  of  a  cross-prov  incial  organization  that  shares  best  practices  with  the  federal 
government  and  other  provincial  governments. 

To  continue  improv  ing  the  tracking  and  reporting  of  performance  measures,  the 
Ministry  uses  the  Operational  Planning  System,  an  online  tool,  to  report 
performance  measures  for  each  goal,  in  every  quarter.  The  Ministry's  Executive 
Committee  and  divisional  management  teams  review  the  reports  and  use  them 
for  planning. 

The  Ministry  has  also  established  an  internal  Performance  Measures  Advisory 
Committee.  The  Committee  periodically  evaluates  the  suitability  of  existing 
performance  measures  and  leads  the  development  of  new  measures. 

Secured  storage  for  confidential  information  of  Albertans— implemented 
Background 

Registry  agencies  receive  requests  for  cancellation  of  services  previously 
requested  by  Albertans.  The  agencies  send  the  void  or  cancelled  marriage 
licences  and  applications  for  birth,  marriage  and  death  certificates,  together 
with  the  -Request  for  Cancelling  a  Service"  forms  to  Service  Alberta  for 
processing  into  the  vital  statistics  (VISTAS)  and  IMAGIS  systems. 

When  the  Ministry  receives  the  documents  and  the  void  or  cancelled 
certificates,  it  reviews  and  approves  the  cancellation  requests  before  entering 
the  cancellation  in  VISTAS  and  IMAGIS.  The  void  or  cancelled  certificates  are 
kept  at  the  Ministry  for  one  year  before  management  sends  them  for  archiving 
at  a  government  storage  site.  The  documents  are  kept  at  the  site  for  seven  years 
and  destroyed  after  this  retention  period. 

In  our  October  2008  Report  (page  348),  we  noted  that  the  void  or  cancelled 
certificates  are  not  securely  stored  at  the  Ministry's  premises.  These  certificates 
were  kept  in  a  box  under  the  desk  of  an  employee. 

Our  audit  findings 

The  Ministry  implemented  our  recommendation  by  keeping  the  void  or 
cancelled  documents  with  confidential  information  obtained  through  its  vital 
statistics  services  in  a  locked  cabinet  in  a  secure  location. 
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manage 

operational  risks 


Risk  assessment  for  Central  Data  Centre  Assets— implemented 
Background 

In  a  management  letter  in  2004  (reported  formally  in  our  2006  2007  Annual 
Report,  page  149).  we  recommended  that  the  Ministry  of  Sen.  ice  Alberta 
improve  its  control  framework  by  implementing  a  process  for  conducting 
formal  risk  assessments  for  data  centre  operations.  In  2005,  the  Ministry 
acquired  an  operational  risk  assessment  framework,  Microsoft  Operations 
Framework  (MOF),  to  manage  risks  on  a  day-to-day  basis.  In  2006.  the 
Ministry  tested  a  methodology  called  Fundamental  Information  Risk 
Management  (FIRM),  to  perform  a  threat  risk  assessment  of  Active  Directory 
Services.  In  2007,  the  Ministry  engaged  the  MOF  framework  to  manage  day-to- 
day operational  risks. 


In  2008,  Ministry  management  agreed  to  expand  the  scope  of  its  risk 
assessment  framework  to  identify  all  risks  that  could  impact  services  it  provides 
to  client  ministries. 


Scope  of  risk 
management  plan 
updated,  critical 
sen  ices  identified 
and  high  exposure 
risks  regularly 
re\  iewed 


Our  audit  findings 

The  Ministry  implemented  our  recommendation  by  updating  the  scope  of  its 
risk  management  plan  to  manage  the  risks  associated  with  the  delivery  of  its 
services  to  client  ministries.  The  Ministry  identified  critical  services  it  provides 
to  client  ministries,  and  assigned  responsibility  for  these  services  to  specific 
individuals.  Operational  subject  matter  experts  perform  monthly  review  of 
risks,  and  management  review  higher  risks  at  monthly  meetings. 


Unqualified 
auditor's  opinion 


Financial  statements 

Our  auditor's  opinion  on  the  Ministry  financial  statements  for  the  year  ended 
March  3 1 .  2009  is  unqualified. 


Unqualified 
review 

engagement  report 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Solicitor  General  and  Public  Security 

Summary 

The  Department  of  Solicitor  General  and  Public  Security  implemented  our 
recommendation  relating  to  the  Department's  business  continuity  plan  (BCP) — see 
below 

Due  to  changed  circumstances  our  recommendation  to  the  Department  to  improve 
its  change  management  processes  is  no  long  valid    see  below 

The  Alberta  Liquor  and  Gaming  Commission  implemented  our  recommendation 
relating  to  change-management — see  page  320 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


High  reliance  on 
IT 


Our  audit  findings  and  recommendations 

1 .   The  Department  of  Solicitor  General  and  Public  Security 
1.1  Department's  business  continuity  plan  (BCP) — implemented 
Background 

In  our  2006-2007  Annual  Report  (vol.  2 — page  155),  we  recommended  that  the 
Department  of  Solicitor  General  and  Public  Security  develop  procedures  to 
implement  its  business  continuity  plan  (BCP)  so  it  can  recover  its  information 
technology  operations  within  required  timeframes  in  a  disaster. 

The  Department  relies  heavily  on  IT  and  computer  based  solutions  to  deliver 
services. 


BCP  used  to 
manage  risk 


A  BCP  is  part  of  the  standard  set  of  tools  required  by  businesses  today  to 
manage  risk.  A  BCP  involves  the  processes  and  procedures  put  in  place  to 
ensure  that  essential  business  functions  continue  to  operate  during  and  after  a 
disaster.  A  key  part  of  a  BCP  is  the  disaster  recovery  plan  (DRP).  The  DRP  is 
the  process  that  guides  the  organization  through  key  steps  required  to  recover 
IT  applications,  within  the  BCP  framework. 


Series  of 
improvements 


Our  audit  findings 

The  Department  implemented  this  recommendation  by  developing  procedures 
to  implement  its  business  continuity  plan. 
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Service  Alberta  is 
the  mam 
outsourced 
provider 


1.2  Change  Management — changed  circumstances 

In  our  2006-2007  Annual  Report  (vol.  2,  page  1 54),  we  recommended  that  the 
Department  of  Solicitor  General  and  Public  Security  improve  its  change 
management  processes  to  include  changes  outsourced  service  providers  make  to 
its  information  technology  environment. 

The  Department  relies  on  information  technology  to  make  complete  and 
accurate  data  available  for  its  management  systems.  The  Department  and  its 
main  service  provider,  Service  Alberta,  support  and  make  changes  to  these 
systems.  The  Department  is  responsible  for  ensuring  that  internal  and  external 
providers  meet  expected  service  levels  and  that  appropriate  controls  are  in  place 
for  the  security,  confidentiality,  integrity  and  availability  of  their  systems  and 
data. 


Control  evaluated 
during  review  of 
Service  Alberta 
service 

agreements  and 
IT  control 
framework 


One  change 

management 

process 


In  2008,  in  response  to  a  recommendation  by  our  Office,  Service  Alberta  began 
updating  service  level  agreements  with  all  ministries  that  use  the  Government 
of  Alberta's  shared  infrastructure.  We  are  no  longer  reporting  on  our 
recommendation  to  the  Department  of  Solicitor  General  and  Public  Security. 
Instead,  we  will  examine  this  control  as  part  of  our  review  of  Service  Alberta's 
management  of  serv  ice  lev  el  agreements,  and  through  follow-up  of  an 
additional  recommendation  to  Service  Alberta  to  develop  and  promote  a 
comprehensive  IT  control  framework  for  use  within  government  departments. 

2.   Alberta  Gaming  and  Liquor  Commission 
2.1  Change-management — implemented 
Background 

In  2008,'  we  recommended  that  the  Alberta  Gaming  and  Liquor  Commission 
(the  Commission)  design  and  implement  a  comprehensive  change-management 
policy  with  well-designed,  efficient  and  effective  control  processes.  We  further 
recommended  that  the  Commission  ensure  that  its  change-management  controls 
are  consistently  followed  throughout  the  Commission. 

Our  audit  findings 

The  Commission  adopted  the  change-management  process  used  in  the 
application-development  area  and  created  one  change-management  process  for 
the  IT  environment.  This  process  now  requires  documentation  to  show: 

•  testing  of  approved  changes 

•  segregation  of  duties  to  approve  a  change  request  (initiator  and  approver 
must  be  different  people) 

•  back-out  plans 

•  post-implementation  reviews 
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We  tested  the  change-management  process  to  determine  how  changes  were 
requested  and  implemented  in  the  IT  environment.  ( )ur  scope  included  changes 
to  critical  business  applications,  as  well  as  to  network  infrastructure. 

New  change-  AH  changes  followed  the  new  change-management  process.  In  addition,  the 

management  Commission  has  now  trained  station  how  to  properK  document  chanue 

process  followed 

requests. 


Financial  statements 

Unqualified  Our  auditor's  opinions  on  the  financial  statements  of  the  Ministry,  the  Department, 

auditor's  opinions    ^  victims  0f  Crime  Fund,  the  Alberta  Gaming  and  Liquor  Commission,  and  the 
Alberta  Lottery  Fund  for  the  year  ended  March  31,  2009  are  unqualified. 

Performance  measures 

Unqualified  Thc  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

review  2008-2009  Annual  Report.  We  issued  an  unqualified  review  enuauement  report  on 

engagement  report  r 

these  measures. 
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Sustainable  Resource  Development 

Summary 

The  Department  should  improve  policies  and  processes  in  its  information 
technolog}  control  environment    see  below 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry  ,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

1 .    IT  control  framework 
Recommendation 

We  recommend  the  Department  of  Sustainable  Resource  Development 
improve  policies  and  processes  in  its  information  technology  control 
environment. 


Background 

Since  2006.  we  have  made  recommendations  to  the  Department  to  improve 
various  aspects  of  its  information  technology  general  computer  controls.  These 
recommendations  included: 

1 .  Update  the  Department's  information  technology  security  policies  to  meet 
new  Government  of  Alberta  security  guidelines.  (2007) 

2.  Establish  and  follow  procedures  to  revoke  and  provide  access  to  its 
computer  systems.  (2006) 

3.  Improve  the  environmental  and  physical  controls  for  Department  server 
rooms.  (2007) 

4.  Ensure  the  Department's  disaster  recovery  plan  ( DRP)  meets  business 
requirements  and  is  periodically  re\  ievved.  (2007) 

5.  Promote  and  maintain  IT  security  awareness.  1 2007 ) 

Previous  |n  2009,  we  reviewed  the  progress  on  these  five  recommendations  and  have 

recommendations  combined  them  into  one  recommendation  called  "IT  control  framework." 

combined  into  one 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  documented  policies  and  processes  for  the 
IT  general  computer  control  environment  to  help  ensure  that  security  and 
continuity  is  maintained. 
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Security  policies 
need  to  be  updated 


Processes  to 
revoke  access  to 
terminated 
employees  need  to 
be  established 


Our  audit  findings 

The  Department  has  not  yet  updated  its  information  technology  security 
policies  to  meet  new  Government  of  Alberta  security  guidelines.  Senior 
management  of  the  Information,  Communications  and  Technology  Branch  has 
drafted  IT  policies,  but  has  not  approved  them  as  of  February  17,  2009. 

The  Department  has  not  yet  established  processes  to  grant  and  revoke  access  to 
its  computer  systems.  Our  testing  revealed  that  some  users  still  had  access  to 
financial  systems  after  being  terminated. 

As  of  February  1 7,  2009,  a  relative  humidity  sensor  was  not  installed  in  the 
Department  data  centre  and  connected  to  a  protection  services  alarm  system.  In 
addition,  the  card-access  control  system  was  not  installed  on  all  the  data  centre 
doors,  making  the  card-management  and  logging  features  ineffective. 

The  Department  did  update  both  DRP  and  the  Business  Continuity  Plan  (BCP). 
How  ever,  it  did  not  test  its  DRP  or  its  BCP  in  the  2008-2009  fiscal  year. 

In  2007.  the  Department  planned  to  run  three  security-awareness  programs 
during  the  fiscal  year.  How  ev  er,  the  Department  is  still  awaiting  approval  of  the 
security  policies  before  it  can  start  the  security-awareness  training.  Therefore, 
the  Department  did  not  conduct  a  security-awareness  program  in  2008  or  2009. 

Implications  and  risks  if  recommendation  not  implemented 

Without  documented  security  policies  and  processes  or  security  awareness 
training: 

•  employ  ees  may  not  be  aw  are  of  their  responsibilities  for  protecting  the 
Department's  information  assets 

•  terminated  employees  could  use  their  credentials  to  access  and  make 
unauthorized  changes  to  financial  systems 

•  the  Department  risks  services  outages,  and  a  loss  or  theft  of  its  data  due  to 
poor  humidity  controls  and  weak  physical  security  controls 

Controls  over  revenue — progress  report 
Background 

In  2008.  we  recommended  that  the  Ministry  review  its  revenue  systems  and  put 
processes  in  place  to  allow  significant  revenues  currently  recorded  when  cash  is 
received  to  be  recorded  when  revenue  is  due  to  the  Crown. 

In  the  accrual  basis  of  accounting,  revenues  and  expenses  are  reflected  in  the 
determination  of  results  for  the  period  in  which  they  are  considered  to  have 
been  earned  and  incurred,  respectively,  whether  or  not  such  transactions  have 
been  settled  finally  by  the  receipt  or  payment  of  cash  or  its  equivalent. 
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In  the  cash  basis  of  accounting,  revenue  is  recorded  when  cash  is  received. 

The  Ministry  records  surface  disturbance  charges  for  mineral  surface  leases  as 
well  as  sand  and  gravel  royalties  on  a  cash  basis. 

Criteria:  the  standards  we  used  for  our  audit 

Controls  over  revenue  should  ensure  revenue  is  completely  and  accurately 
recorded. 


Ministry  is  now 
invoicing 
outstanding  tecs 


Management  actions 

In  March  2009.  the  Ministry  hired  consultants  to  review  its  files  related  to  land 
disturbance  fees.  Based  on  the  work  performed  by  the  consultants,  the  Ministry 
estimated  that  approximately  $9.5  million  of  land  disturbance  fees  from  prior 
years  were  not  assessed  and  invoiced.  They  also  estimated  S2.9  million  of  land 
disturbance  fees  would  be  assessable  for  2008.  In  April  2009.  the  Ministry 
began  invoicing  industry  for  these  amounts.  The  Ministry  is  still  developing 
processes  and  assessing  resource  needs  so  that  revenues  can  be  assessed  and 
accrued  in  a  timelv  manner. 


Full 

implementation 
planned  by 
March  2010. 


The  Ministry  plans  to  fully  implement  this  recommendation  and  adopt  an 
accrual  basis  of  accounting  in  the  2009  2010  fiscal  year. 

What  remains  to  be  done 

In  order  to  fully  implement  this  recommendation,  the  Ministry  needs  to: 

•  Implement  ongoing  processes  to  ensure  revenues  related  to  land 
disturbance  fees  and  sand  and  gravel  royalties  can  be  estimated  for 
accounting  purposes  and  invoiced  for  timely  collection. 

•  Ensure  adequate  supporting  documentation  is  available  to  support  all 
amounts  invoiced  pertaining  to  prior  years  fees, 

•  Be  able  to  assess  the  collectability  of  these  prior  year  revenue  amounts 
before  accruing  them. 


Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  may  not  bill  and  correctly  record  all  the  revenue  it  is  entitled  to. 
The  Ministry  may  also  not  be  able  to  fully  collect  the  revenue  earned  in  the  year 
because  the  limitation  period  for  enforcement  as  per  the  Limitations  Act  may 
have  expired. 
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Sustainable  Resource  Development 


Financial  statements 

Unqualified  Qur  auditor's  opinions  on  the  financial  statements  of  the  Ministry,  the  Department 

auditor  s  opinions         ,  „,    „  ,  ^  ,  „  ,  J  r 

and  the  Environmental  Protection  and  Enhancement  Fund  for  the  year  ended 

March  3 1 ,  2009  are  unqualified. 

Our  auditor's  opinions  on  the  financial  statements  of  the  Natural  Resources 
C  onservation  Board  for  the  year  ended  March  3 1 ,  2009  is  unqualified. 

Performance  measures 

Un?uallfied  Thc  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 

engagement  report    2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 


326 


Report  of  the  Auditor  General  of  Alberta 
October  2009 


Financial  Statement  and  Other  Assurance  Audits 


Past 

recommendations 


Tourism,  Parks  and  Recreation 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Unqualified 
auditor's  opinions 


Unqualified 
review 

engagement  report 


Financial  statements 

Our  auditor's  opinions  on  the  financial  statements  of  the  Ministry  ,  Department  and 
the  Alberta  Sport.  Recreation.  Parks  and  Wildlife  f  oundation  for  the  y  ear  ended 
March  3 1 .  2009  are  unqualified. 

Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry  "s 
2008  2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Transportation 

Summary 

The  Department  of  Transportation  should  develop  and  implement  an  Information 
Technology  risk  assessment  framework    see  below 

For  any  outstanding  recommendations  previously  made  to  the  organizations  that 
form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Our  audit  findings  and  recommendations 

IT  risk  assessment 
Recommendation 

We  recommend  that  the  Department  of  Transportation  develop  and  implement 
an  Information  Technology  risk  assessment  framework. 

Background 

IT  risk  management  is  the  analysis,  identification,  documentation,  assessment,  and 
prioritization  of  risks,  follow  ed  by  coordinated  and  economical  application  of 
resources  to  minimize,  monitor,  and  control  the  probability  and  or  impact  of 
unfortunate  events.  IT  risks  can  originate  from  many  sources,  including  project 
failures,  accidents,  natural  causes  and  disasters,  as  well  as  deliberate  attacks.  Several 
risk  management  standards  have  been  developed,  including  the  Project  Management 
Institute,  COSO.  and  ISO  standards. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  of  Transportation  should: 

•  have  a  comprehensive  risk  management  framework  that  identifies  all 
information  technology  risks  that  it  must  manage 

•  implement  control  processes  to  economically  manage  or  mitigate  identified 
information  technology  risks 

Our  audit  findings 

The  Department  assesses  risks  in  its  IT  env  ironment  as  part  of  their  ongoing 
operations  through  activities  including  business  continuity  planning  (BCP)  and 
project  management.  By  assessing  risk  on  case  by  case  situations,  like  when  they 
are  evaluating  a  new  project,  the  Department  is  only  able  to  obtain  a  limited  view  of 
the  risks  affecting  their  environment.  The  Department  docs  not  currently  have  a 
process  to  collate  all  of  these  risk  assessments  from  the  projects.  BCP  and  other 
sources,  to  understand  IT-related  risks  (such  as  changes  in  technology  and  threats 
from  new  malware).  and  to  be  sure  that  all  risks  are  identified  and  mitigated.  The 
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Department  relies  on  the  expertise  and  knowledge  of  its  senior  management  to 
manage  IT  risks,  and  ensure  that  their  risk-management  strategy  is  consistently 
applied.  However,  no  documentation  is  maintained  to  evidence  this  evaluation. 

Implications  and  risks  if  recommendation  not  implemented 

The  Department  may  not  be  able  to  proactively  monitor  their  IT  risk  as  technology 
evolves  or  as  good  practices  for  protecting  their  environment  change.  A  risk- 
assessment  methodology  that  addresses  the  entire  environment  with  regular  risk 
assessments  would  allow  the  Department  to  maintain  continuity  in  managing  risk  if 
staff  leave  or  change. 


Unqualified 
auditor's  opinion 


Financial  statements 

Our  auditor's  opinion  on  the  Ministry  of  Transportation  for  the  year  ended 
March  31.  2009  is  unqualified. 


Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
engagement  report    2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 


Unqualified 
review 
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Treasury  Board 


Treasury  Board 


past  For  any  outstanding  recommendations  previously  made  to  the  organi/ations  that 

recommendations     form  the  Ministry,  please  see  our  outstanding  recommendations  list  on  page  335. 


Unqualified 
auditor's  opinion 


Unqualified 
review 

engagement  report 


Financial  statements 

Our  auditor's  opinion  on  the  Ministry  of  Treasury  Board's  financial  statements  for 
the  year  ended  March  3 1 ,  200°  is  unqualified. 

Performance  measures 

The  Ministry  engaged  us  to  review  selected  performance  measures  in  the  Ministry's 
2008-2009  Annual  Report.  We  issued  an  unqualified  review  engagement  report  on 
these  measures. 
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Past  Recommendation? 
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Past  Recommendations 


Outstanding  Recommendations 


Outstanding  Recommendations 

This  is  a  complete  list  of  numbered  and  unnumbered  recommendations  that  are  not  yet  implemented. 
Recommendations  older  than  three  years  or  that  have  been  repeated  one  or  more  times  are  identified 
accordingly.  Audits  marked  with  an  asterisk  *  indicate  that  management  believes  the  recommendation 
has  been  implemented  but  we  have  not  yet  conducted  a  follow-up  audit.  Reports  containing  these 
recommendations  are  on  our  website  at  www.oag.ab.ca. 

We  currently  have  257  outstanding  recommendations — 124  are  numbered.  133  are  unnumbered.  1  1 
are  repeated  and  27  are  more  than  three  years  old.  We  use  three  years  as  a  performance  measure  for 
when  we  expect  management  to  implement  our  numbered  recommendations. 

Advanced  Education  and  Technology 
Department 

*  •      Non-credit  programs:  Standards  and  expectations — April  2008.  #1.  p.  22 

•  Non-credit  programs:  Monitoring — April  2008.  #2,  p.  23 

•  Monitoring  vocational  programs  offered  by  private  institutions-  April  2008.  p.  42 

•  IT  control  policies  and  processes — April  2008.  #8.  p.  195 
Alberta  College  of  Art  and  Design 

•  IT  internal  controls— 2006-07.  vol.  2.  p.  2 1 

•  Financial  reporting  and  year-end  processes — April  2008.  p.  180 

•  Preserving  endowment  assets — April  2009,  p.  78 
Bow  \  alley  College 

*  •      Contract  reviews — April  2009,  p.  1 6 

*  •      Contracting  processes — April  2009.  p.  1 8 

*  •      Vendor  maintenance — April  2009.  p.  1 9 

*  •      Processing  of  contract  payments — April  2009,  p.  20 

*  •      Unethical  conduct  in  the  workplace — April  2009,  p.  2 1 

*  •      Quarterly  financial  reporting — April  2009.  p.  94 
Grande  Prairie  Regional  College 

*  •      C  apital  asset  management — April  2008.  p.  1 84 

•  Preserv  ing  endowment  assets — April  2009.  p.  78 
Grant  MacEwan  University1 

•  Computer  control  environment — 2004  05.  p.  104 
(outstanding  3  or  more  years) 

*  •      Construction  management — November  2006.  #9.  p.  35 

•  Donations — November  2006.  #10.  p.  37 

*  •      Bookstore  operations — April  2008.  p.  1 86 

*  •      Parking  services  fees — April  2009.  p.  82 

*  •      Sports  and  Wellness  Centre— April  2009.  p.  83 

*  •      Prompt  completion  of  sub-ledger  reconciliations — April  2009,  p.  84 

*  •      Capital  assets— April  2009,  p.  85 
Keyano  College 

•  Preserv  ing  endowment  assets — April  2009.  p.  78 


1  By  Order  in  Council  (O.C.  481/2009  dated  September  24,  2009)  Grant  MacEwan  College's  name  was  changed  to  Grant 
MacEwan  University. 
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Lakeland  College 

•  Preserving  endowment  assets — April  2009,  p.  78 

•  Improve  payroll  eontrols — April  2009,  p.  91 

•  Segregation  of  duties  over  journal  entries — April  2009.  p.  92 

Lethbridge  College 

•  Preserving  endowment  assets — April  2009,  p.  78 
Medicine  Hat  College 

•  Preserving  endowment  assets-  April  2009,  p.  78 

•  Periodic  reporting  to  the  Board — April  2009.  p.  95 
Mount  Royal  University2: 

•  Retention  and  severance  agreements — 2004-2005,  p.  100 

•  Governance  and  Human  Resources  Committee  Charter — 2004-2005,  p.  1 01 

•  Preserv  ing  endowment  assets — April  2009,  p.  78 

•  Segregation  of  payroll  duties — April  2009,  p.  93 
NorQuest  College 

•  Preserv  ing  endowment  assets — April  2009,  p.  78 

•  Internal  controls  over  cash— April  2009,  p.  87 

•  Procurement  cards— discrepancy  log — April  2009,  p.  88 

•  Procurement  cards-compliance  with  policy — April  2009,  p.  89 
Northern  Alberta  Institute  of  Technology 

•  Construction  management:  selection  processes — April  2008,  p.  48 

•  Review  of  procurement  card  transactions — April  2009,  p.  90 
Olds  College 

•  Preserving  endowment  assets — April  2009,  p.  78 
Portage  College 

•  Preserving  endowment  assets — April  2009,  p.  78 
Red  Deer  College 

•  Preserving  endowment  assets — April  2009,  p.  78 
University  of  Alberta 

•  Strategic  planning  for  Research — 2003-04,  p.  252 
(outstanding  3  or  more  years) 

•  Security  contlguration  settings — 2006-07,  vol.  2.  p.  24 
University  of  Calgarj 

•  Research  measures  and  targets — 2003-04,  p.  254 
(outstanding  3  or  more  years) 

•  Planning  for  research  capacity — 2003-04,  #26.  p.  255 
(outstanding  3  or  more  years) 

•  Research  roles  and  responsibilities — 2004-05,  #18,  p.  90 
(outstanding  3  or  more  years) 

•  Research  policies — 2004-05.  p.  91 
(outstanding  3  or  more  years) 

•  Research  project  proposals— 2004-05.  p.  92 
(outstanding  3  or  more  years) 

»      Research  project  management — 2004-05,  p.  93 

(outstanding  3  or  more  years) 
»      Research  revenues  and  expenditures — 2004-05,  p.  94 

(outstanding  3  or  more  years) 

•  General  computer  controls — 2005-06,  vol.  2.  p.  20 

IT  governance  and  control  framework — 2006-07.  #18.  vol.  2.  p.  10 


"  By  Order  in  Council  (O.C.  435/2009  dated  September  2.  2009)  Mount  Royal  College's  name  was  changed  to  Mount  Royal 
University. 
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•  C  ontrols    research  and  trust  accounts    2000  07.  vol.  2.  p.  1 5 
(repeated  once  since  2(>ii3  (Mi  (outstanding  3     more  years) 

•  lmpro\  ing  the  control  en\  ironnient    October  2008,  #2 1 .  p.  2 1 3 

•  PeopleSoft  security— October  2009,  #  1 1 ,  p.  155 
(repeated  three  times  since  2(1(15  06) 

•  Controls  over  payroll    October  2009.  p.  1 53 
(repeated  twice  since  2006  07) 

•  Improving  controls  over  journal  entries    October  2009.  p.  157 
(repeated  once  since  October  2008) 

University  of  Lethbridge 

•  IT  internal  control  framework — 2006-07,  #21.  vol.  2.  p.  23 

*  •      Financial  research  roles  and  responsibilities    October  200S.  p.  225 

*  •      Clear  and  complete  research  policies — October  2008,  p.  227 

*  •      Processes  for  investing  in  research  projects — April  2009,  #1.  p.  26 

Agriculture  and  Rural  Development 

Department 

*  •      Performance  measurement — 2002-03,  #3,  p.  49 

(outstanding  3  or  more  years) 

•  Evaluating  program  success:  grant  management    2004  05.  -20.  p.  113 
(repeated  once  since  2000-01)  (outstanding  3  or  more  years) 

•  Food  Safety:  Alberta  Agriculture's  surveillance  program — 2005  06.  #9.  \ol.  I .  p.  88 

•  Food  Safety:  Alberta  Agriculture's  food  safety  information  systems — 2005-06,  vol.  1,  p.  94 

•  Verifying  eligibility  for  Farm  Fuel  Benefit  program — 2005-06,  #24,  vol.  2,  p.  37 

•  Monitoring  IT  security  policy —2005-06,  vol.  2,  p.  40 

•  Reporting  and  dealing  with  allegations  of  employee  misconduct — November  2006,  #12.  p.  46 
Department  and  Health  and  Wellness 

•  Food  Safety:  Integrated  food  safety  planning  and  activities — October  2009.  «|  1  .p.  107 
(repeated  once  since  2005-06) 

•  Food  Safety:  Accountability — October  2009,  #13,  p.  114 
(repeated  once  since  2005-06) 

•  Food  Safety:  Eliminating  gaps  in  food  safety  inspection  coverage — October  2009.  #12.  p.  Ill 
(repeated  once  since  2005-06) 

Agriculture  Financial  Services  Corporation 

•  Loan  loss  processes — 2006-07,  vol.  2,  p.  32 

Children  and  Youth  Services 
Department 

*  •      Risk  assessment  and  internal  audit  services — 2001-02,  #9.  p.  54 

(outstanding  3  or  more  years) 

*  •      Enhanced  child  interv  ention  standards — 2006-07,  #6.  vol.  1,  p.  79 

*  •      Accreditation  systems  for  service  providers — 2006-07,  #7,  vol.  l,p.  82 

*  •      Department  compliance  monitoring — 2006-07,  #8,  vol.  l,p.  83 
Child  and  Familv  Services  Authorities 

*  •      Authorities  compliance  monitoring  processes — 2006-07,  vol.  l,p.  86 

*  •      Authorities  monitoring  of  service  prov  iders — 2006  07.  vol. .  p.  88 

Culture  and  Community  Spirit  and  Tourism,  Parks  and  Recreation 

•  Computer  control  environment — 2006-07,  vol.  2.  p.  172 
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Education 

•  School  board  budget  process — 2005-06,  #25,  vol.  2,  p.  65 

•  School  board  interim  reporting — 2005-06,  #26,  vol.  2.  p.  68 

•  Business  cases — 2006-07,  vol.  2.  p.  45 

Employment  and  Immigration 

Department 

•  Income  support  program — exception  reports — 2006-07,  vol.  2.  p.  55 

•  Compliance  function — Income  support  program — 2006-07.  vol.  2.  p.  56 

•  IT  control  environment— 2006-07,  #23,  vol.  2,  p.  60 

•  Monitoring  and  enforcement  of  training  providers — October  2008,  #24,  p.  245 

•  Approving  and  renewing  training  programs — October  2008.  p.  249 

•  Improving  the  use  of  information  systems — October  2008,  p.  25 1 

Energy 

Department 

•  Assurance  on  well  and  production  data — 2005-06,  #27.  vol.  2,  p.  76 
(repeated  once  since  2004-05)  (outstanding  3  or  more  years) 

•  Royalty  regime  objectives  and  targets — 2006-07,  #9,  vol.  1 .  p.  115 

•  Royalty  planning,  coverage  and  internal  reporting — 2006-07,  #10,  vol.  1.  p.  119 

•  Royalty — improving  annual  performance  measures — 2006-07,  #1 1.  vol.  1.  p.  124 

•  Royalty — periodic  public  information — 2006-07,  #  1 2.  vol.  1 .  p.  1 26 

•  Royalty— enhancing  controls— 2006-07.  #13.  vol.  1 .  p.  1 29 

•  Documenting  potential  conflicts  of  interest — April  2008.  p.  57 

•  Alberta's  Bioenergy  Programs — October  2008,  #25,  p.  255 

•  Reporting  royalty-liable  fuel-gas  volumes — October  2008,  #26,  p.  257 
Department.  F.nv  ironment  and  Sustainable  Resource  Development 

•  Sustainable  Resource  and  Environmental  Management  (SREM)  Implementation  Plan — 
2004-05.  #14.  p.  72 

(outstanding  3  or  more  years) 
Energy  Resources  Conservation  Board 

•  Assurance  systems  for  volumetric  accuracy — 2004-05,  #29,  p.  1 69 
(outstanding  3  or  more  years) 

•  Liability  management  for  suspension,  abandonment  and  reclamation  activities — 2004-05,  #30,  p.  173 
(outstanding  3  or  more  years) 

•  IT  control  framework— 2006-07,  #24,  vol.  2.  p.  7 1 

Environment 

Department 

•  Drinking  Water:  Approvals  and  registrations — 2005-06,  #1,  vol.  1,  p.  37 

•  Drinking  Water:  Inspection  system — 2005-06,  #2,  vol.  1.  p.  43 

•  Drinking  Water:  Communicating  with  partners— 2005-06,  vol.  I,  p.  48 

•  Drinking  Water:  Information  systems— 2005-06,  #4.  vol.  1.  p.  52 

•  Drinking  Water:  Supporting  drinking  water  goals— 2005-06,  #5,  vol.  1 .  p.  53 

•  Water  Well  Drilling— 2005-06,  #28,  vol.  2.  p.  84 

•  Climate  change:  Planning — October  2008,  #9,  p.  97 

•  Climate  change:  Monitoring  processes — October  2008,  #  1 0.  p.  1 00 

•  Climate  change:  Public  reporting — October  2008,  #1 1 ,  p.  101 

•  EcoTrust  gov  ernance — October  2008,  p.  262 

•  Financial  security  for  land  disturbances — October  2009,  #23,  p.  207 
(repeated  three  times  since  1998-99)  (outstanding  3  or  more  years) 
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Department,  I  aergj  and  Sustainable  Resource  Development 

•      Sustainable  Resource  and  Environmental  Management  (SRI  M)  Implementation  Plan 
2004-05,  #14.  p.  72 
(outstanding  3  or  more  years) 


Executive  Council 

•  CEO:  Guidance— October  2008.  U I .  p.  27 

•  Agency  Governance  Secretariat:  CEO  Accountabilitv 

•  Central  Security  Office — October  2008.  "4.  p.  53 


-October  2008,  #2,  p.  29 


Finance  and  Knterprise 

Department 

Rates  of  return  used  to  forecast  investment  income — 2006-07,  vol.  I.  p.  142 
Personal  income  tax  forecast — 2006  07.  vol.  I.  p.  143 
Corporate  income  tax  forecast — 2006-07.  #14.  vol.  I.  p.  145 
Public  reporting  of  revenue  forecasts — 2006-07,  #16,  vol.  1,  p.  149 
Alberta  Indian  Tax  Exemption  program  limits — 2006-07.  vol.  2.  p.  85 
Obtaining  assurance  on  third  party  service  prov  iders — 2006-07.  vol.  2.  p.  87 
User  access — October  2008.  p.  272 

Use  of  spreadsheets  in  processing  taxes — October  2008,  p.  273 
Investment  Accounting  and  Reporting  Group — October  2008.  #28.  p.  268 
Alberta  Capital  Finance  Authority 

Additional  skilled  resources  required — April  2009.  p.  103 
Alberta  Investment  Management  Corporation  (AIMCo) 

Access  and  change  management  controls    2006  07.  vol.  2.  p.  93 
Internal  control  certification— October  2008.  #32,  p.  279 
Procedures  for  valuing  real  estate  investments — October  2008.  p.  285 
Accuracy  of  priv  ate  equity  partnership  inv  estments — October  2008,  #33.  p.  287 
(repeated  once  since  2006-07) 

International  Swaps  and  Derivatives  Association  Agreements— October  2008,  #34,  p.  288 
Controls  over  records  management — October  2008.  p.  291 
Alberta  Treasury  Branch  (ATB) 

Risk  management— 2002-03,  #16.  p.  121 

(repeated  once  since  2001-02)  (outstanding  3  or  more  years) 

Treasury  management:  Business  rules  and  operating  procedures — October  2008,  #12,  p.  118 
Treasury  management:  Performance  targets — October  2008.  p.  123 
Treasury  management:  Variable  pay  program-  October  200S.  p.  125 
Treasury  management:  Liquidity  reporting — October  2008.  p.  127 
Treasury  management:  Liquidity  simulations — October  2008.  p.  128 
Treasury  management:  Liquidity  contingency  plan — October  2008.  #13.  p.  129 
Treasury  management:  Interest  rate  risk  reporting — October  2008.  ^14.  p.  131 
Treasury  management:  Interest  rate  risk  model  assumptions— October  2008.  p.  132 
Treasury  management:  Interest  rate  risk  modeling  and  stress  testing — October  2008.  p.  1 34 
Treasury  management:  Interest  rate  risk  controls — October  2008.  p.  136 
Treasury  management:  Role  and  use  of  middle  office— October  2008.  p.  137 
Treasury  management:  Treasury  information  systems— October  2008.  p.  138 
Treasury  management:  Treasury  policies — October  2008.  p.  139 
Treasury  management:  Role  of  ALCO — October  2008.  #15.  p.  142 
Treasury  management:  Internal  audit  program — October  2008.  p.  143 
Fair-value  calculations  of  investments — October  2008,  p.  274 
Derivative  credit  limits  in  report — October  2008.  p.  276 
Internal  control  weaknesses — October  2008.  #29,  p.  278 
Criminal-record  checks — October  2008.  #30.  p.  279 
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•  Securitization  policy  and  business  rules — October  2008,  #31,  p.  280 

•  Compliance  with  Alberta  Finance  Guideline — October  2009,  #25,  p.  226 
(repeated  once  since  2006-07) 

Health  and  Wellness 
Department 

•  Accountability  of  the  health  regions  to  the  Minister  of  Health  and  Wellness — 2003-2004,  #23,  p.  1 97 

•  Accountability  for  health  care  costs — annual  report  results  analysis — 2005-06,  #31,  vol.  2,  p.  116 

•  Accountability  for  health  care  costs — performance  measures — 2005-06,  #32,  vol.  2,  p.  118 

•  Analysis  of  physician  billing  information — 2005-06,  #33,  vol.  2,  p.  120 
(repeated  once  since  2000-01)  (outstanding  3  or  more  years) 

•  Information  technology  control  environment — 2005-06,  #34,  vol.  2,  p.  123 
(repeated  twice  since  2001-02)  (outstanding  3  or  more  years) 

•  Unauthorized  network  connections — 2006-07,  vol.  2.  p.  105 
*          •      Claims  assessment  system — 2006-07,  vol.  2,  p.  107 

•  Provincial  Mental  Health  Plan — The  accountability  framework — April  2008,  #4,  p.  77 

•  Compliance  monitoring  activities — October  2008,  #35,  p.  300 

•  Infrastructure  funding  for  health  facilities — October  2008,  p.  301 

•  Accountability  for  conditional  grants — October  2009,  p.  252 
(repeated  twice  since  2001-02) 

Department  and  Agriculture  and  Rural  Development 

•  Food  Safety:  Integrated  food  safety  planning  and  activities — October  2009,  #1 1 ,  p.  107 
(repeated  once  since  2005-06) 

•  Food  Safety:  Accountability— October  2009,  #13,  p.  114 
(repeated  once  since  2005-06) 

•  Food  Safety:  Eliminating  gaps  in  food  safety  inspection  coverage — October  2009,  #12,  p.  Ill 
(repeated  once  since  2005-06) 

Department  and  Alberta  Health  Sen  ices 

•  Seniors  Care:  Compliance  with  Basic  Service  Standards — 2004-05,  #6,  p.  58 
(outstanding  3  or  more  years) 

•  Seniors  Care:  Effectiveness  of  services  in  long-term  care  facilities — 2004-05,  #7,  p.  59 
(outstanding  3  or  more  years) 

•  Seniors  Care:  Long-term  care  accommodation  rates  and  funding — 2004-05,  #8,  p.  59 
(outstanding  3  or  more  years) 

•  Seniors  Care:  Information  to  monitor  compliance  with  legislation — 2004-05,  p.  61 
(outstanding  3  or  more  years) 

•  Seniors  Care:  Future  needs  for  services  in  long-term  care  facilities — 2004-05,  #9,  p.  62 
(outstanding  3  or  more  years) 

•  Seniors  Care:  Continuing  care  strategic  services  plans — 2004-05,  p.  62 
(outstanding  3  or  more  years) 

•  Food  Safety:  Tools  to  promote  and  enforce  food  safety — 2005-06,  vol.  1 .  p.  83 

•  Mental  Health:  Provincial  Mental  Health  Plan:  Implementation  systems — April  2008,  #3,  p.  72 
Mental  Health:  Standards— October  2008,  #16,  p.  162 

•  Mental  Health:  Funding,  planning,  and  reporting — October  2008,  p.  186 

•  Mental  Health:  Aboriginal  and  suicide  priorities — October  2008.  p.  190 
Alberta  Health  Services 

•  Calgary  and  Capital:  Performance  measures  for  surgical  services — 2000-01,  p.  135 
(outstanding  3  or  more  years) 

•  Food  Safety:  Inspection  programs — October  2009.  #9,  p.  93 
(repeated  once  since  2005-06) 

•  Food  Safety:  Information  systems — October  2009.  #10,  p.  99 
(repeated  once  since  2005-06) 

•  Calgary:  Monitoring  service  provider  compliance  and  performance — 2005-06,  #36,  vol.  2,  p.  128 

•  Calgary:  Change-management  process — 2006-07,  #28,  vol.  2,  p.  112 
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Calgary:  Inappropriate  user  access — 2006-07.  «2l).  vol.  2.  p.  113 
Cancer  Board:  Controls  over  access  to  computer  applications    2006  07.  vol.  2.  p.  115 
AADAC  General  computer  controls    2006  07.  vol.  2.  p.  I  16 
AADAC  Contracting  Practices:  Internal  controls    November  20()(>.  •  1 .  p.  14 
AADAC  Contracting  Practices:  Board  governance — November  2006.  #3,  p.  I  7 
Mental  Health:  Housing  and  supportive  living    October  200S.  "17.  p.  IM 
Mental  Health:  Concurrent  disorders    October  200S.  "IS.  p.  168 
Mental  Health:  Not-for-profit  organizations    October  200S.  p.  169 
Mental  Health:  Gaps  in  service— October  2008.  #  1 9.  p.  171 
Mental  Health:  Prov  incial  coordination — October  2008.  p.  176 
Mental  Health:  Community-based  serv  ice  delivery — October  2008,  p.  181 
Calgary:  IT  change  management  controls — October  2008,  p.  306 
Calgary:  IT  user  access  management  controls — October  2008,  p.  307 
Capital:  IT  security  controls — October  2008.  p.  308 
Capital:  IT  change  management  controls — October  2008.  p.  309 

Peace  Country:  Expense  claims  and  corporate  credit  cards  controls — October  2008.  p.  3 1 
Peace  Country:  Contract  documentation    ( )ctober  200S.  p.  3  1 2 

•  Peace  Country:  IT  user  access — October  2008,  p.  3 1 3 
Health  Quality  Council  of  Alberta  (HQCA) 

•  Investigative  Role  Policy— October  2008.  p.  3 1 7 

•  Guidance  on  using  legal  assistance — October  2008.  p.  3 19 


International  and  Intergovernmental  Relations 

•  Evaluating  international  offices'  performance — October  2008.  p.  324 

•  Ensuring  effective  information-system  controls — October  2008.  p.  326 

Justice  and  Attorney  General 

•  Judicial  IT  Security— 2006-07,  vol.  2.  p.  131 

Legislative  Assembly 

*  •      Members' Services  Allowance— 2006-07,  vol.  2,  p.  189 

*  •      Temporary  Residence  Allowance— 2006  07,  vol.  2,  p.  192 


Municipal  Affairs 

•  Information  Technology  management  controls — 2006-07,  vol.  2,  p.  138 
(repeated  once  since  2003-04)  (outstanding  3  or  more  years) 

•  ME  first!  Program— October  2008,  #37,  p.  335 

Seniors  and  Community  Supports 
Department 

Effectiveness  of  Seniors  Lodge  Program — 2004-05,  #12,  p.  66 
(outstanding  3  or  more  years) 

Determining  future  needs  for  Alberta  Seniors  Benefit  Program — 2004-05.  p.  67 
(outstanding  3  or  more  years) 

Effectiveness  of  the  Alberta  Seniors  Benefit  Program — 2004-05,  p.  68 
(outstanding  3  or  more  vears) 

Information  to  determine  benefits  for  the  Alberta  Seniors  Benefit  Program — 2004-05,  #13.  p.  69 
(outstanding  3  or  more  vears) 
General  computer  controls — 2006  07,  vol.  2,  p.  143 
Persons  with  Developmental  Disabilities  Boards 

Contract  monitoring  and  ev  aluation — 2003  04,  #9.  p.  I  I  I 
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Service  Alberta 

Department 

•  Contracting  policies  and  procedures — 2003-04,  #20,  p.  1  77 
(outstanding  3  or  more  years) 

•  IT  project  management  of  registry  renewal  initiative — 2004-05,  #34,  p.  2 1 2 
(outstanding  3  or  more  years) 

•  IT  project  management— 2005-06,  #22,  vol.  1 .  p.  1 74 

•  Physical  security— 2005-06,  #37,  vol.  2.  p.  1 68 

•  IT  Serv  ice  level  agreements  between  Service  Alberta  and  its  client  ministries — 2006-07,  #32,  vol.  2, 
p.  146 

•  Security  administration  for  shared  services — 2006-07,  vol.  2,  p.  148 
(repeated  once  since  2005-06) 

•  Guidance  to  implement  IT  control  frameworks — April  2008,  #7,  p.  170 

•  Increasing  collaboration  by  ministries — October  2008,  p.  84 

•  Physical  security — October  2008,  #8,  p.  87 

•  Service  Alberta's  as  a  central  processor  of  transactions — October  2008,  #38,  p.  345 

•  Access-  and  security-monitoring  of  application  systems — October  2008,  p.  346 

•  System-conversion  process — October  2008,  p.  349 

Department  with  all  ministries 

•  Develop  and  maintain  detailed  standards  and  policies  to  build  and  operate  secure  web  applications — 
October  2008,  p.  64 

•  Develop  standards  and  policies  to  ensure  web  applications  are  built  to  required  standards — 
October  2008.  #5,  p.  66 

•  Rev  iew  and  improve  the  GoA's  shared  computing  infrastructure  policies,  procedures,  and  standards- 
October  2008,  #6,  p.  68 

•  Wireless  policies  and  standards — October  2008.  p.  75 

•  Device  configurations — October  2008.  p.  76 

•  Ongoing  monitoring  and  surveillance — October  2008,  #7.  p.  77 

•  Backup  power  supplies — October  2008,  p.  85 

•  Environmental  security — October  2008,  p.  89 

Sustainable  Resource  Development 

Department 

*  •      Contracting— 2002-03,  p.  277 

(outstanding  3  or  more  years) 

•  Reforestation:  Monitoring  and  enforcement — 2005-06,  #15,  vol.  1 ,  p.  122 

•  Reforestation:  Seed  inventory — 2005-06,  vol.  1.  p.  129 

•  Reforestation:  Performance  information — April  2009,  #2,  p.  52 
(repeated  once  since  2005-06) 

•  Leases  and  sales — 2006-07,  vol.  2.  p.  161 

•  Land  sale  agreements — 2006-07,  vol.  2,  p.  162 

•  Requests  for  proposals— 2006-07,  #33.  v  ol.  2.  p.  163 

*  •      Project  management — 2006-07.  vol.  2.  p.  165 

•  Controls  over  revenue — October  2008,  #39,  p.  355 

•  Sand  and  Gravel:  Enforcement  of  reclamation  obligations — October  2008,  #40,  p.  360 

•  Sand  and  Gravel:  Flat  fee  security  deposit — October  2008,  #41 ,  p.  362 

•  Sand  and  Gravel:  Royalty  rates  for  sand  and  gravel — October  2008,  #42,  p.  364 

•  Sand  and  Gravel:  Quantity  of  aggregate  removed — October  2008,  p.  364 

•  Sand  and  Gravel:  Information  management — October  2008,  p.  366 
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Department,  Energj  and  I  nvironment 

•  Sustainable  Resource  and  I'm  ironmental  Management  (SKIM)  Implementation  Plan 
2004-05.  "14.  p.  72 

(outstanding  3  or  more  years) 
Natural  Resources  Conservation  Board 

•  Compliance  and  enforcement  (Confined  feeding  operations) — 2006-07,  #34,  vol.  2,  p.  167 
(repeated  once  since  2(103  IU>  (outstanding  3  or  more  years) 

Tourism,  Parks  and  Recreation  and  Culture  and  Community  Spirit 

•  Computer  control  environment    2006  07.  vol.  2.  p.  1 72 


Transportation 

*  •      Commercial  and  motor  vehicle  inspection  programs — 2003-04,  #29,  p.  301 

(outstanding  3  or  more  years) 

*  •      Licensing  inspection  facilities  and  technicians — 2003-04,  #30,  p.  303 

(outstanding  3  or  more  years) 

*  •      Capital  grants  to  Metis  Settlements — November  2006,  #5,  p.  24 

*  •      Conflicts  of  interest  for  contracted  IT  professionals — April  2008.  #5  and  #6,  p.  1 55 


Treasury  Board 

•  Corporate  government  accounting  policies — 2002-03,  #2,  p.  40 
(repeated  6  times  since  1996-97)  (outstanding  3  or  more  years) 

*  •  Infrastructure  needs:  Roles  and  responsibilities — 2006-07,  #1,  vol.  1.  p.  39 

•  Infrastructure  needs:  Maintenance  and  life-cycle  costs — 2006-07,  #2,  \  ol.  1 .  p.  49 

•  Infrastructure  needs:  Deferred  maintenance  and  life-cycle  costs — 2006-07,  #3,  vol.  I.  p.  54 

*  •  Infrastructure  needs:  Process  to  prioritize  projects — 2006-07,  #4,  vol.  1.  p.  57 

*  •  Infrastructure  needs:  Improving  current  information — 2006-07,  #5,  vol.  1.  p.  59 

*  •  Government  credit  cards — 2006-07,  #  1 7.  vol.  I .  p.  1 74 

•  Inconsistent  budgeting  and  accounting  for  grants — 2006-07,  vol.  2,  p.  1 78 

•  CEO  compensation  disclosure — October  2008,  #3,  p.  32 

•  Salary  and  benefits  disclosure — October  2008.  p.  37 1 

•  Report  on  select  payments  to  MLAs — Content — October  2008,  p.  375 

*  •  Report  on  select  payments  to  MLAs — Efficiency— October  2008,  p.  376 

*  •  Report  on  select  payments  to  MLAs — Timely — October  2008.  p.  377 
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Reference 


Glossary 


Glossary 


iccou  ntuhilitv 


Accrual  basis  of 
accounting 

Adverse  auditor's  opinion 
\ssurance 


Attest  work,  attest  audit 
Audit 

Auditor 

Auditor's  opinion 
Auditor's  report 
Business  cases 


C  apital  asset 

(OBIT 


Criteria 
Cross-ministry 

Crown 


This  glossary  explains  key  accounting  terms  and  concepts  in  this  report. 

Responsibility  for  the  consequences  of  actions.  In  this  report,  accountability  requires 
ministries,  departments  and  other  entities  to: 

•  report  their  results  (what  they  spent  and  what  they  achieved)  and  compare  them  to 
their  goals 

•  explain  any  differences  between  their  goals  and  results 

Government  accountability  allows  Albertans  to  decide  whether  the  government  is  doing  .1 
good  job.  They  can  compare  the  costs  and  benefits  of  government  action:  what  it  spends, 
what  it  tries  to  do  (goals),  and  what  it  actually  does  (results). 

A  way  of  recording  financial  transactions  that  puts  revenues  and  expenses  in  the  period 
when  they  are  earned  and  incurred. 

An  auditor's  opinion  that  financial  statements  are  not  presented  fairly  and  are  not  reliable. 

An  auditor's  written  conclusion  about  something  audited.  Absolute  assurance  is  impossible 
because  of  several  factors,  including  the  nature  of  judgment  and  testing,  the  inherent 
limitations  of  control,  and  the  fact  that  much  of  the  evidence  available  to  an  auditor  is  only 
persuasive,  not  conclusive. 

Work  an  auditor  does  to  express  an  opinion  on  the  reliability  of  financial  statements. 

An  auditor's  examination  and  verification  of  evidence  to  determine  the  reliability  of 
financial  information,  to  evaluate  compliance  with  laws,  or  to  report  on  the  adequacy  of 
management  systems,  controls  and  practices. 

A  person  who  examines  systems  and  financial  information. 

An  auditor's  written  opinion  on  whether  things  audited  meet  the  criteria  that  apply  to  them. 
An  auditor's  w  ritten  communication  on  the  results  of  an  audit. 

An  assessment  of  a  project's  financial,  social  and  economic  impacts.  A  business  case  is  a 
proposal  that  analyses  the  costs,  benefits  and  risks  associated  with  the  proposed 
investment,  including  reasonable  alternatives.  The  province  has  issued  business  case  usage 
guidelines  and  a  business  case  template  that  the  Department  can  refer  to  in  establishing  its 
business  case  policy. 

A  long-term  asset. 

Abbreviation  for  "Control  Objectives  for  Information  and  Related  Technology."  COBIT  was 
developed  by  the  Information  Systems  Audit  and  Control  Foundation  and  the  IT 
Governance  Institute.  COBIT  provides  good  practices  for  managing  IT  processes  to  meet  the 
needs  of  enterprise  management.  It  bridges  the  gaps  between  business  risks,  technical 
issues,  control  needs,  and  performance  measurement  requirements. 

Reasonable  and  attainable  standards  of  performance  that  auditors  use  to  assess  systems. 

The  section  of  this  report  covering  systems  and  problems  that  affect  several  ministries  or 
the  w  hole  government. 

The  Gov  ernment  of  Alberta. 
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ERP 


Exception 
Expense 

GAAP 

Governance 
IMAGIS 

Internal  audit 


Internal  control 


Management  letter 


Material,  materiality 
Misstatement 


Any  maintenance  work  not  performed  when  it  should  be.  Maintenance  work  should  be 
performed  when  necessary  to  ensure  capital  assets  provide  acceptable  service  over  their 
expected  lives. 

Abbreviation  for  Enterprise  Resource  Planning.  ERPs  integrate  and  automate  all  data  and 
processes  of  an  organization  into  one  comprehensive  system.  A  typical  ERP  has  multiple 
modules  within  a  computer  software  application,  standardized  hardware,  and  a  centralized 
database  used  by  all  modules  to  achieve  this  integration.  Although  an  ERP  can  be  as  small 
as  an  accounting  and  payroll  application,  the  term  ERP  is  usually  associated  with  larger 
systems  that  perform  many  functions  within  an  organization.  Examples  of  modules  in  an 
ERP.  which  formerly  would  have  been  stand-alone  applications,  include:  Financials 
(General  Ledger,  Accounts  Payable,  and  Accounts  Receivable),  Payroll,  Human 
Resources.  Purchasing  and  Supply  Chain,  Project  Management,  Asset  Management, 
Student  Administration  Systems  and  Decision  Support  Systems.  Some  of  the  more  ' 
common  ERPs  are  PeopleSoft,  SAP,  Great  Plains,  and  Oracle  Applications. 

Something  that  does  not  meet  the  criteria  it  should  meet— see  "Auditor's  opinion." 
The  cost  of  a  thing  over  a  specific  time. 

Abbreviation  for  "generally  accepted  accounting  principles."  which  are  established  by  the 
Canadian  Institute  of  Chartered  Accountants. 

A  process  and  structure  that  brings  together  capable  people  and  relevant  information  to 
achieve  goals.  Governance  defines  an  organization's  accountability  systems  and  ensures 
the  effective  use  of  public  resources. 

Abbreviation  for  the  government's  Integrated  Management  Information  System— a 
customized  version  of  PeopleSoft.  It  is  the  main  computer  program  that  ministries  use  for 
financial  and  human  resource  information  systems. 

A  group  of  auditors  within  a  ministry  (or  an  organization)  that  assesses  and  reports  on  the 
adequacy  of  the  ministry's  internal  controls.  The  group  reports  its  findings  directly  to  the 
deputy  minister.  Internal  auditors  need  an  unrestricted  scope  to  examine  business 
strategies;  internal  control  systems;  compliance  with  policies,  procedures,  and  legislation- 
economical  and  efficient  use  of  resources;  and  the  effectiveness  of  operations. 

A  system  designed  to  provide  reasonable  assurance  that  an  organization  will  achieve  its 
goals.  Management  is  responsible  for  an  effective  internal  control  system  in  an 
organization,  and  the  organization's  governing  body  should  ensure  that  the  control  system 
operates  as  intended.  A  control  system  is  effective  when  the  governing  body  and 
management  have  reasonable  assurance  that: 

•  they  understand  the  effectiveness  and  efficiency  of  operations 

•  internal  and  external  reporting  is  reliable 

•  the  organization  is  complying  with  laws,  regulations,  and  internal  policies 

Our  letter  to  the  management  of  an  entity  that  we  have  audited.  In  the  letter,  we  explain: 

1 .  our  work 

2.  our  findings 

3.  our  recommendation  of  what  the  entity  should  improve  and  how  it  should  do  so 

4.  the  risks  if  the  entity  does  not  implement  the  recommendation 

We  also  ask  the  entity  to  explain  specifically  how  and  when  it  will  implement  the 
recommendation. 

Something  important  to  decision-makers. 

A  misrepresentation  of  financial  information  due  to  mistake,  fraud,  or  other  irregularities. 
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Outcomes 
Outputs 

Performance  measure 
Performance  reporting 
Performance  target 
Qualified  auditor's  opinion 

Recommendation 
Rev  iew 


Risk 

Risk  management 
Securitization 

Sole  source  contract 

Specified  auditing 
procedures 

Systems  (management) 
Systems  (accounting) 
Systems  audit 


The  results  an  organization  tries  to  achie\e  based  on  its  goals. 

The  goods  and  services  an  organization  actually  delivers  to  achieve  outcomes  They  show 
"how  much  '  or  "how  main  ." 

Indicator  of  progress  in  achieving  a  goal. 

Reporting  on  financial  and  non-financial  performance  compared  to  plans. 
The  expected  result  for  a  performance  measure. 

An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them,  except  for  one 
or  more  specific  areas — which  cause  the  qualification. 

A  solution  we — the  Office  of  the  Auditor  General  of  Alberta  propose  to  improve  the  use 
of  public  resources  or  to  improve  performance  reporting  to  Albertans. 

Rev  iews  are  different  from  audits  in  that  the  scope  of  a  review  is  less  than  that  of  an  audit 
and  therefore  the  level  of  assurance  is  lower.  A  review  consists  primarily  of  enquiry, 
analytical  procedures  and  discussion  related  to  information  supplied  to  the  reviewer  w  ith 
the  objective  of  assessing  whether  the  information  being  reported  on  is  plausible  in  relation 
to  the  criteria. 

Anything  that  impairs  an  organization's  ability  to  achieve  its  goals. 

Identifying  and  then  minimizing  or  eliminating  risk  and  its  effects. 

Is  a  financial  transaction,  w  hich  involves  the  pooling  and  repackaging  of  cash-flow 
producing  financial  assets  into  securities  that  are  then  sold  to  investors. 

An  agreement  w  ith  just  one  supplier  chosen  without  a  competitive  bidding  process. 

Actions  an  auditor  performs  to  check  certain  qualities,  such  as  reliability,  of  reported 
information  that  management  asks  the  auditor  to  check.  Specified  auditing  procedures  are 
not  extensive  enough  to  allow  the  auditor  to  express  an  opinion  on  the  information. 

A  set  of  interrelated  management  control  processes  designed  to  achieve  goals 
economically  and  efficiently. 

A  set  of  interrelated  accounting  control  processes  for  revenue,  spending,  the  preserv  ation 
or  use  of  assets,  and  the  determination  of  liabilities. 

To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements  to 
systems  designed  to  ensure  value  for  money. 

Paragraphs  (d)  and  (e)  of  subsection  19(2)  of  the  Auditor  General  An  require  us  to  report 
every  case  in  w  hich  we  observe  that: 


•  an  accounting  system  or  management  control  system,  including  those  designed  to 
ensure  economy  and  efficiency,  was  not  in  existence,  or  was  inadequate  or  not 
complied  w  ith,  or 

•  appropriate  and  reasonable  procedures  to  measure  and  report  on  the  effectiv  eness  of 
programs  were  not  established  or  complied  w  ith. 

To  meet  this  requirement,  we  do  systems  audits.  First,  we  develop  criteria  (the  standards) 
that  a  system  or  procedure  should  meet.  We  always  discuss  our  proposed  criteria  w  ith 
management  and  try  to  gain  their  agreement  to  them.  Then  we  do  our  work  to  gather  audit 
evidence. 
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Next,  we  match  our  evidence  to  the  criteria.  If  the  audit  evidence  matches  all  the  criteria, 
we  conclude  the  system  or  procedure  is  operating  properly.  But  if  the  evidence  doesn't 
match  all  the  criteria,  we  have  an  audit  finding  that  leads  us  to  recommend  what  the 
ministry  must  do  to  ensure  that  the  system  or  procedure  will  meet  all  the  criteria. 

For  example,  if  we  have  5  criteria  and  a  system  meets  3  of  them,  the  2  unmet  criteria  lead 
to  the  recommendation. 


Unqualified  auditor's 
opinion 


A  systems  audi!  should  not  be  confused  with  assessing  systems  with  a  view  to  relying  on 
them  in  an  audit  of  financial  statements. 

An  auditor's  opinion  that  information  audited  meet  the  criteria  that  apply  to  them. 


Unqualified  review 
engagement  report 


Value  for  moiu\ 


Although  sufficient  audit  evidence  has  not  been  obtained  to  enable  us  to  express  an 
auditor's  opinion,  nothing  has  come  to  our  attention  that  causes  us  to  believe  that  the 
information  being  reported  on  is  not,  in  all  material  respects,  in  accordance  with 
appropriate  criteria. 

The  concept  underlying  a  systems  audit  is  value  for  money.  It  is  the  "bottom  line"  for  the 
public  sector,  analogous  to  profit  in  the  private  sector.  The  greater  the  value  added  by  a 
government  program,  the  more  effective  it  is.  The  fewer  resources  that  are  used  to  create 
that  value,  the  more  economical  or  efficient  the  program  is.  "Value"  in  this  context  means 
the  impact  that  the  program  is  intended  to  achieve  or  promote  on  conditions  such  as  public 
health,  highw  ay  safety,  crime,  or  farm  incomes.  To  help  improve  the  use  of  public 
resources,  we  audit  and  recommend  improvements  to  systems  designed  to  ensure  value  for 
money. 


Other  resources 

The  Canadian  Institute  of  Chartered  Accountants  (CICA)  produces  a  useful  book  called,  Terminology  for  Accountants.  They 
can  be  contacted  at  CICA,  277  Wellington  Street  West,  Toronto,  Ontario,  Canada  M5V  3H2  or  www.cica.ca. 
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